Open-Source Software Libraries security & Threat Intel sharing

Started in December 2021

The goal of the project is to collaboratively tackle the issue of Open-Source Software Libraries (henceforth OSSL) security. The project intends to identify security risks in the source code of OSSL used in PCSI partners’ applications by combining the output of different source code tests (static analysis, software component analysis, and fuzz testing techniques).

https://pcsi.nl/uploads/projects/OSSLS-1920x1080-vecteezy.jpg

The PCSI partners involved in the project will share knowledge of the testing techniques’ results, providing additional security attestation when using OSSL. Also, the PCSI partners in the project will analyze the identified risks and share Threat Intelligence (TI) amongst all other PCSI partners for further (security) policy development. Finally, PCSI core partners may decide to make results of analyses conducted within the project available upstream, thus sharing those back with the maintainers of OSSL where security risks will have been identified. Open-source communities may choose to use those results to fix and improve future versions of their OSSL.

Innovative aspects

The introduction of an array of software testing techniques which includes fuzzing tests in the software development lifecycle pipelines.

The focus on stand-alone library fuzzing instead of application fuzzing; this is innovative because fuzzing is a relatively new technique allowing for a more thorough testing of source code security, but which is not always easy to implement in CI/CD pipelines.
Collaboration in lowering the threshold for PCSI partners when it comes to acquiring new skills and knowledge.
Identifying vulnerabilities in commonly used OSSL collaboratively, whilst not hindering healthy competition in the market.

Solutions

The solution the project aims to deliver will provide reliable TI on OSSL. This TI would include security risks associated with specific OSSL and prove relevant, actionable information on how to test configurations yielding efficient results when testing OSSL. The feedback loop towards the open-source software community would eventually lead to faster patching resulting in better long-term maintenance and security of OSSL.

Intended end result

At the end of the project, each PCSI partner will have a very good understanding of the risks of using OSSL and will have improved knowledge and skills about fuzzing. As a result, the exposure to security risks is reduced and the security quality of all the PCSI partners' software products in which OSSL is used has improved. While it is possible that no zero-day vulnerabilities will be found in OSSL while the project is running, the TI sharing platform that will be set up will be put into production at the PCSI partners. Using this platform, Threat Intelligence will be shared on which OSSLS are safe to use.

Picture source: www.vecteezy.com

This project is part of the trend

38 Opportunity and threat March 2022

Increasing dependency on open source libraries and software

Open-source software is becoming increasingly popular, as it can improve module communication and combat vendor lock-in; the format in which it’s used most often is to include OS libraries in software applications. Open source, however, has effects on security: on one hand, public scrutiny can improve the security of a library, while on the other hand, open-source projects can more easily be infiltrated by malicious participants who try to add malicious code to libraries. For example, it was recently detected that Log4j, an open-source logging library, had severe security issues. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software or conduct espionage.