In the face of economic headwinds and a worsening problem with code vulnerabilities, 2022 was still a successful year for open source and The Linux Foundation (LF).
Leadership and security in innovation chart the theme of the LF’s year in review for open source. Contributors to LF’s projects, and open source in general, comprise the largest distributed engineering workforce globally, according to Jim Zemlin, executive director of the LF.
The year in review boils down to one major factor: Did the LF’s global impact on open source through innovation and better security move the needle? The 140-page report stockpiles facts and examples about the performance of open-source technology worldwide, along with countless examples of the vast organization’s prominence.
The result was a breakout year for the foundation on both fronts. In the past year, the organization has entered a golden age of open-source innovation, with the foundation guiding new entrants and paving the way for collaboration on new fronts, according to Nithya Ruff, chair of LF’s board of directors and lead of the Open Source Program Office (OSPO) at Amazon.
Risks, Vulnerabilities, Attacks
Another recent report about growing security risks could tarnish the high marks LF officials assigned to the progress and innovation open source provides. Excessive code vulnerabilities are shaking the foundation of trust and reliability, which are hallmark elements for open-source users.
Software application security firm Mend (formerly WhiteSource) in December released its Open Source Risk Report that reveals the significant risk posed by the ongoing rise in open-source vulnerabilities and software supply chain attacks.
According to this report, the number of open-source vulnerabilities Mend researchers identified and added to its vulnerability database in the first nine months of last year was 33% greater than the previous year. As businesses continue to rely heavily on open-source applications, this growing threat is a mounting concern.
Growth Year in Review
The Linux Foundation is now the leading player in the open standards space, with over 200 open standards efforts across numerous industries. The organization added 79 new projects and shipped 52.6 million lines of code weekly across more than 12,000 repositories.
Open-source users downloaded 12.6 billion containers, and we saw a strong bounce back for in-person activities. LF gathered over 92,000 people from 176 countries and over 12,000 organizations at 230 official events, setting a new attendance record. Lastly, it convened over 29,000 community meetings.
Financially, LF is more stable than ever, with revenues increasing. No single member company represents more than 1% of its total revenues. In 2022 it set a new membership record of over 3,000 organizations.
Throughout last year, over 2.7 million people received training and certifications from the Linux Foundation. Add to those newly Linux-learned newcomers some 605,000 technical contributors working on LF projects.
The report notes the importance and popularity of LF’s security training. Over 10,000 people signed up for a free open-source security training course on release day.
Based on the global averages of programmer salaries, that open-source people power amounts to a $26 billion contribution in developer time in 2022. Contributors to Linux Foundation projects and open source, in general, comprise the largest distributed engineering workforce globally by orders of magnitude.
Facing the Challenges Ahead
According to LF’s report, cybersecurity and techno-nationalism emerged last year, continuing to pose challenges to the ongoing growth and adoption of open source. In cybersecurity, the imperative of securing the open-source supply chain and assuring that open-source code is safe has become a matter of international concern.
The LF report devoted a significant section to cybersecurity and supply chain specifics. It committed to pursuing this year abating the severity and urgency within the open-source community. It laid out some key objectives beyond massive education efforts.
The organization spent a large part of the year working on building a community around the urgent task of securing open-source software (OSS) and the sustainability of the ecosystem.
Those efforts involved working with the Open Source Security Foundation (OpenSSF), OpenChain, support for the Software Package Data Exchange (SPDX), an open standard for communicating software bill of materials (SBOM) information, and other cybersecurity activities.
LF last year focused on three key priority areas:
1. Improving security and the OSS ecosystem;
2. Closing talent shortages through improved training and educational initiatives; and
3. Imparting the value of openness and the importance of the community.
Report Repudiates Remediation
Mend’s research, sampling 1,000 North American companies, found that only 13% of vulnerabilities seen were remediated, compared with 40% remediated by those using modern application security best practices.
Open-source code is in 70% to 90% of applications today. The report noted that more companies find themselves vulnerable to attacks as threat actors take advantage of the remediation gap.
Malicious package attacks are also on the rise, according to the Mend report. Data from the company’s security products shows a steady quarterly increase jumping 79% from Q2 to Q3 last year. More packages today contain telemetry, which enables data collection, and some are now built into a supply chain, such as when valid content has a dependency containing malicious code.
“As security debt continues to rise, it is crucial to find a way to prioritize the vulnerabilities that pose the highest risk to avoid falling victim to an attack,” said Jeffrey Martin, vice president of product management at Mend.
He added that remediation tools to assess and prioritize the vulnerabilities that can most heavily impact systems are an important element in managing security debt.
“Organizations should not just pay attention to severity details, though. To ensure effective prioritization and remediation, they need to also look at the exploitation context of flaws on their own and in conjunction with others.”
Seemingly Unwinnable Challenge
The bottom line is that teams are overwhelmed with too many vulnerabilities classified as critical. Teams lack a way to prioritize them correctly, offered Mark Lambert, vice president of products at security provider firm ArmorCode.
Organizations should address this issue by understanding the context of the vulnerability and prioritizing appropriately, he offered. For instance, is the vulnerability associated with an internet-facing or business-critical application?
Other factors that increase or decrease the priority for remediating include if it is a known exploit for the CVE documented in the CISA KEV catalog or is the subject of active hacker chatter around a vulnerability or trending status on social media.
“Threat actors are highly automated, being able to run thousands of scenarios against a target in just a few minutes. The risk is that a truly critical vulnerability slips through the cracks and gets exploited by an organized and efficient threat actor,” Lambert told LinuxInsider.
Slow Reaction Impacts Cybersecurity Success
Open source vulnerabilities take teams time to resolve for a few reasons, added Travis Smith, vice president for the threat research unit at Qualys. The dwell time is between when organizations can patch and when a vulnerability is weaponized.
“During this window, threat actors can take advantage of these vulnerabilities. Those vulnerabilities exposed to the internet directly are most at risk, but so are others which are often taken advantage of for phishing,” Smith told LinuxInsider.
Often, no path to automated remediation exists. This is a critical driver in bringing down the mean time to remediation and patch rate for vulnerabilities.
These types of vulnerabilities are often embedded within other software programs. Smith explained that these are more complex to discover than other vulnerabilities in programs like Windows or Chrome.
Two steps address this issue, Smith offered. One, know where vulnerabilities are in your organization with a vulnerability product. Two, have effective communication between the vulnerability team and operations team to ensure patches can be rolled out in a timely manner, especially for those vulnerabilities which introduce the most risk to an organization.