Open-Source Software Libraries security & Threat Intel sharing

Started in December 2021

The idea of this project is to collaboratively tackle the issue of Open Source Software Libraries security (henceforth OSSLs). The project is going to use fuzzing testing techniques on OSSLs used in some of the PCSI partners' applications to identify security risks in the source code of the libraries.

https://pcsi.nl/uploads/projects/OSSLS-1920x1080-vecteezy.jpg

In the end, we will share knowledge of fuzzing results providing additional security attestation when using OSSLs. We will analyze the identified risks and share Threat Intelligence (TI) among all PCSI partners for further policy development. Finally, we will also share the results of our analyses upstream with the maintainers of the OSSLs in which security risks have been identified, allowing the open source communities to use the TI to improve future versions of the libraries.

Innovative aspects  

 The most innovative aspect of the project is the introduction of fuzzing tests in the development pipelines. In addition, we will focus on stand-alone library fuzzing instead of application fuzzing; this is also innovative because it allows for a more thorough testing of the security of the individual "building blocks" in the application of the PCSI partners. Fuzzing is not easy. Collaboration lowers the threshold for PCSI partners to gain access to new skills and knowledge. Also, identifying vulnerabilities in commonly used OSSLs is something that benefits a large group of companies, while at the same time not hindering competition in the market.

Solutions

The project aims to provide reliable Threat Intelligence on OSSLs. This could include security risks associated with specific OSSLs and providing relevant and actionable information on which test solutions and/or configurations yield the best or most efficient results when fuzzing OSSLs. Also, the feedback loop to the open source software community should lead to faster patching resulting in better long-term maintenance of OSSLs.

Intended end result

At the end of the project, each PCSI partner has a very good understanding of the risks of using OSSL and has improved knowledge and skills about fuzzing. As a result, the exposure to security risks is reduced and the security quality of all the PCSI partners' software products in which OSSL is used has improved. While it is possible that no zero-day vulnerabilities will be found in OSSL while the project is running, the TI sharing platform that will be set up will be put into production at the PCSI partners. Using this platform, Threat Intelligence will be shared on which OSSLS are safe to use.

Project results

Activities in the Explore phase

In the course of the Explore phase, we were not only able to validate the assumptions of the Ideation phase, but we also identified a number of additional reasons for collaboration: 

  • establishing a set of guidelines and practical recommendations for joint testing of OSSLs 
  • enabling PCSI partners to become more acquainted with the possibilities of a shared TI platform

We explored what was needed to start fuzzing OSSLs in stand-alone mode, how to analyze fuzzing results, which data models to use for sharing fuzzing configuration settings as well as Threat Intelligence data derived from the analyzed fuzzing results.

Activities in the Proof of Concept phase    

During the PoC phase, TNO experts will set up a pipeline for stand-alone Fuzzing testing of different OSSLs in at least three different programming languages (Python, C#, and Java) that we have selected as being relevant enough with respect to the internally developed software applications of the PCSI partners. During testing, TNO experts will share the configuration settings used for each specific fuzzing test carried out and the results of this with the whole project team. The team will analyze these results and make the entire dataset of settings and results available in a PoC of a Threat Intelligence platform that should be available to all PCSI partners.

 

 

Picture source: www.vecteezy.com

This project is part of the trend

38 Opportunity and threat March 2022

Increasing dependency on open source libraries and software

Open-source software is becoming increasingly popular, as it can improve module communication and combat vendor lock-in; the format in which it’s used most often is to include OS libraries in software applications. Open source, however, has effects on security: on one hand, public scrutiny can improve the security of a library, while on the other hand, open-source projects can more easily be infiltrated by malicious participants who try to add malicious code to libraries. For example, it was recently detected that Log4j, an open-source logging library, had severe security issues. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software or conduct espionage.
Beeldmerk PCSI
PCSI is a collaboration of
    ABN-AMRO Achmea ASML Belastingdienst ING TNO Volksbank
This project is co-funded by Holland High Tech with a PPP Grant for Research and Innovation in Top Sector HTSM ® 2022 Partnership for Cyber Security Innovation