Open-Source Software Libraries security & Threat Intel sharing

In the end, we will share knowledge of fuzzing results providing additional security attestation when using OSSLs. We will analyze the identified risks and share Threat Intelligence (TI) among all PCSI partners for further policy development. Finally, we will also share the results of our analyses upstream with the maintainers of the OSSLs in which security risks have been identified, allowing the open source communities to use the TI to improve future versions of the libraries.

Innovative aspects  

 The most innovative aspect of the project is the introduction of fuzzing tests in the development pipelines. In addition, we will focus on stand-alone library fuzzing instead of application fuzzing; this is also innovative because it allows for a more thorough testing of the security of the individual "building blocks" in the application of the PCSI partners. Fuzzing is not easy. Collaboration lowers the threshold for PCSI partners to gain access to new skills and knowledge. Also, identifying vulnerabilities in commonly used OSSLs is something that benefits a large group of companies, while at the same time not hindering competition in the market.

Solutions

The project aims to provide reliable Threat Intelligence on OSSLs. This could include security risks associated with specific OSSLs and providing relevant and actionable information on which test solutions and/or configurations yield the best or most efficient results when fuzzing OSSLs. Also, the feedback loop to the open source software community should lead to faster patching resulting in better long-term maintenance of OSSLs.

Intended end result

At the end of the project, each PCSI partner has a very good understanding of the risks of using OSSL and has improved knowledge and skills about fuzzing. As a result, the exposure to security risks is reduced and the security quality of all the PCSI partners' software products in which OSSL is used has improved. While it is possible that no zero-day vulnerabilities will be found in OSSL while the project is running, the TI sharing platform that will be set up will be put into production at the PCSI partners. Using this platform, Threat Intelligence will be shared on which OSSLS are safe to use.

Activities in the Explore phase

In the course of the Explore phase, we were not only able to validate the assumptions of the Ideation phase, but we also identified a number of additional reasons for collaboration: 

• establishing a set of guidelines and practical recommendations for joint testing of OSSLs 
• enabling PCSI partners to become more acquainted with the possibilities of a shared TI platform

We explored what was needed to start fuzzing OSSLs in stand-alone mode, how to analyze fuzzing results, which data models to use for sharing fuzzing configuration settings as well as Threat Intelligence data derived from the analyzed fuzzing results.

Activities in the Proof of Concept phase    

During the PoC phase, TNO experts will set up a pipeline for stand-alone Fuzzing testing of different OSSLs in at least three different programming languages (Python, C#, and Java) that we have selected as being relevant enough with respect to the internally developed software applications of the PCSI partners. During testing, TNO experts will share the configuration settings used for each specific fuzzing test carried out and the results of this with the whole project team. The team will analyze these results and make the entire dataset of settings and results available in a PoC of a Threat Intelligence platform that should be available to all PCSI partners.

Picture source: www.vecteezy.com