Open-Source Software Libraries Security & Threat Intel Sharing

Started in August 2023

The goal of the project is to collaboratively tackle the issue of Open-Source Software Libraries Security (henceforth OSSLS). The project intends to identify security risks in the source code of open source software libraries used in PCSI partners’ applications by combining the output of different testing techniques (static analysis, software component analysis, and fuzz testing). 

https://pcsi.nl/uploads/projects/OSSLS-1920x1080-vecteezy.jpg

The PCSI partners involved in the project will share knowledge of the testing techniques’ results, providing additional security attestation when using open source software libraries. Also, the PCSI partners in the project will analyze the identified risks and share Threat Intelligence (TI) amongst all other PCSI partners for further policy development. Finally, PCSI core partners may decide to make results of analyses conducted within the project available upstream, thus sharing those back with the maintainers of these open source software libraries, where security risks will have been identified. Open-source communities may choose to use those results to fix and improve future updated versions.  

Innovative aspects   

  • The introduction of an array of software testing techniques which includes fuzzing in the software development lifecycle pipelines.   

  • Collaboration in lowering the threshold for PCSI partners when it comes to acquiring new skills and knowledge.  

  • Identifying vulnerabilities in commonly used open source software libraries collaboratively, whilst not hindering healthy competition in the market.  

Solutions 

The project aims to deliver a solution which will provide a reliable way to increase software quality and increase security. This solution would make it actionable information on how to test configurations yielding efficient results when testing open source software libraries. The feedback loop towards the open-source software community would eventually lead to faster patching, resulting in better long-term maintenance and security of open source libraries.  

Intended end result 

At the end of the project, each PCSI partner will have a good understanding of the risks of using open source libraries and improved knowledge and skills about an array of software testing techniques including fuzzing. As a result, the exposure to security risks is reduced and the quality of all the PCSI partners' software products in which open source libraries is used has significantly improved. While it is possible that no zero-day vulnerabilities will be found in these libraries, while the project is running, the TI sharing platform that will be set up will be put into production at the PCSI partners. Using this platform, Threat Intelligence will be shared on which OSSLS are safe to use. 

  

 

Picture source: www.vecteezy.com

This project is part of the trend

38 Opportunity and threat March 2024

Increasing dependency on open source libraries and software

Open-source software is becoming increasingly popular, as it can improve module communication and combat vendor lock-in; the format in which it’s used most often is to include OS libraries in software applications. Open source, however, has effects on security: on one hand, public scrutiny can improve the security of a library, while on the other hand, open-source projects can more easily be infiltrated by malicious participants who try to add malicious code to libraries. For example, it was recently detected that Log4j, an open-source logging library, had severe security issues. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software or conduct espionage.
Beeldmerk PCSI
PCSI is a collaboration of
    ABN-AMRO Achmea ASML Belastingdienst ING TNO