Full Report
An analysis by the Linux Foundation, OpenSSF and Harvard University found that there continues to be significant cybersecurity risks in open source software practices
Analysis Summary
# Main Topic
Significant cybersecurity risks persist within open source software (FOSS) practices, as revealed by the CENSUS III project conducted by the Linux Foundation, OpenSSF, and Harvard University, based on analyzing 12 million observations from over 10,000 companies.
## Key Points
- **Outdated Language Dependence:** High proportions of organizations still rely on unsupported and insecure legacy software, specifically Python 2, across sectors like data analysis (29%), computer graphics (24%), and DevOps (23%).
- **Lack of Naming Standardization:** The continued absence of a standardized, widely used naming scheme for software components impedes global communication and limits the effectiveness of supply chain security measures like Software Bills of Materials (SBOMs).
- **Concentrated Security Ownership:** The security management of FOSS projects is heavily reliant on a very small number of contributors: 17% of projects had one developer responsible for over 80% of commits in 2023.
- **Individual Account Risk:** Many packages are hosted under individual developer accounts, which often lack robust security controls like Multifactor Authentication (MFA) and detailed permissioning, increasing the risk of account takeovers (ATOs).
- **Legacy Software Persistence:** Older software remains prevalent because replacement packages often feature different APIs and functionality, leading to fewer developers maintaining security updates over time.
- **Positive Trend Noted:** There has been a 500% surge in the adoption of the Rust programming language since CENSUS II, indicating progress toward using memory-safe languages.
## Threat Actors
- **Attribution:** No specific malicious threat actors or campaigns were identified; the focus is on inherent structural security risks within the FOSS development and maintenance ecosystem.
- **Associated Groups:** N/A
## TTPs
- **Techniques Observed:** Over-reliance on actively unsupported software versions (e.g., Python 2).
- **Vulnerabilities Exploited:** The continued use of unsupported software exposes systems to known vulnerabilities for which patches are no longer released.
- **Attack Vectors:** Account takeover (ATO) targeting individual developer accounts appears to be an increasing threat vector due to insufficient security measures on those accounts.
## Affected Systems
- **Technologies:** Free and Open Source Software (FOSS) libraries widely used in production applications.
- **Specific Instances:** Python 2 environments in data analysis, computer graphics, and DevOps sectors.
- **Scope of Impact:** Over 10,000 companies utilizing the observed FOSS libraries.
## Mitigations
- **Language Migration:** Organizations must accelerate the transition away from legacy, unsupported languages like Python 2 towards supported versions or memory-safe languages like Rust.
- **Standardization Adoption:** Critical need for widespread adoption of a standardized software component naming scheme to enable effective communication and security reporting (e.g., SBOM processing).
- **Account Security:** Implement strict security policies (e.g., MFA, granular permissioning) for developer accounts hosting FOSS packages, shifting away from the common practice of hosting critical components under personal accounts.
- **Contributor Diversity:** Organizations dependent on specific projects should identify and support efforts to increase developer contribution diversity to mitigate risks associated with singular points of failure.
## Conclusion
The report highlights systemic weaknesses in the FOSS supply chain rooted in outdated technology, poor standardization, and over-reliance on individual contributors. While the adoption of memory-safe languages like Rust shows promise, organizations must immediately address the risks posed by maintaining unpatched legacy components and insecure individual developer infrastructure to effectively secure their software supply chains.