Beware of open source software security.
What's not to like about people pulling together for the common good of building software? software that you can get for free? If you have a good idea, you can build it, release it to the world, and typically other people will help you make it better over time. This is the utopian vision open source proponents have advocated for years. And in a big way, they've succeeded. Open source software can be found anywhere there are computers in large enterprises: it powers a large part of the financial industry, of the life sciences industry, it's training autonomous vehicles, it's even used in top secret, U.S. intelligence agencies like the CIA. Open source software is so widely used that you'd be hard pressed to find an IT professional in a large organization anywhere that isn't using a fair amount of it throughout their operation.
But not everything about open source is perfect. The problem is that so many open source software libraries and components gets reused over and over. The end result, vulnerable code ends up all over the place, exposing applications and devices that may have practically no relationship to each other to attack. Reusable software leads to vulnerabilities that are re-created over and over. One example, Apache Struts open source framework for creating Java web applications. Alot of companies uses it to build parts of their online storefronts. Among the many companies using it was the credit reporting firm Equifax, where hackers exploited a vulnerability in Struts and stole data on 150 million consumers.
Another example, KRACK, where open source code used on many different models of Wi-Fi routers. The security flaw is in the Wi-Fi standard itself, and not due to implementation errors by individual products or manufacturers. Any correct implementation of WPA2 is likely to be vulnerable. The vulnerability affects all major software platforms, including Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD and others. The widely used open source implementation wpa_supplicant, used by Linux and Android, is especially susceptible since can be manipulated to install an all zero encryption key, effectively neutralizing WPA2 protection in a man-in-the-middle attack.
A third example, Apache Commons Collections or ACC, which is a component that's widely used in Java applications. Veracode found that more than half of Java applications relied on versions of the component containing a vulnerability that left San Francisco's Muni rail system open to a ransomware attack.
The fundamental problem with open source software is that people assume that if there's a problem in an open source application, someone, somewhere will fix it. There's no accountability in the open source world. Many of the tools and libraries in use have security issues. In a study of 1,000 commercial applications by Black Duck Software, 96 percent contained open source components. 67 percent contained components with documented vulnerabilities, some of which have been known for four years or more. With no central tool chain or even a central set of policies, the onus is on the community itself
To make matters worse, the bad guys have figured out that they can poison the open source software well. There are numerous instances of malware being pushed directly into the open source ecosystem. Hackers are "typo squatting," creating packages with names that are only slightly different from popular ones found on the repository npm. In another case, authorities in Slovakia found tainted packages in the official repository for the Python programming language. There are cases where people have caught backdoors being inserted into packages.