Event-Stream Backdoor Doesn't Mean Open-Source Community Failing at Security
(Page 2 of 2)
that the open-source community is actually pretty great at dealing with issues of security. Even though the attacker managed to compromise the component, their attack was discovered relatively quickly.
Once uncovered by the student researcher, the open-source community sprang into action. Word of the vulnerable component has made its way out to users throughout the industry at a rapid pace, and the users of the offending package are quickly upgrading to the unaffected version.
The solution to attacks like those on the supply chain is not locking down the community with harsh regulations in what amounts to an act of security theater. Instead, we need more engagement with the community, encouraging them to continue monitoring and maintaining projects. When issues—be they bugs or vulnerabilities—do arise, these talented volunteers are the ones to develop a fix.
At the end of the day, the community of developers care about the health of their ecosystem and are quite keen on policing it. Messing with this mechanism is unlikely to lead to a desirable outcome.
Where Do We Go From Here?
While attacks like event-stream are always a possibility, there are a couple of steps that we can take to improve our overall security.
The first is to know which components are being used in our products, including in dependencies. Developers love open source because it can be a quick fix, but far too often they fail to check if it has any known vulnerabilities associated with it. Nobody digs down to the dependencies. There are automated tools out there—including ones made by my company, WhiteSource Software—that can help to provide visibility into an organization’s open source usage and prevent vulnerable components from being used in a product.
If businesses are going to depend on open-source tools for their products, then perhaps more thought needs to go into how we give back to the open-source community. There are options, such as supporting open-source projects with sweat effort contributions by having company developers take the time to help maintain the code, and, at times, giving financial support as well. Companies should also give thought to what their responsibility is to their users when utilizing open-source components—and what measures they are taking to code securely.
Like any group, there will be bad apples out there looking to take advantage of a situation. But we should not overreact when incidents like these occur.