...
Businesses using open source need to react faster. Log4J and HeartBleed are being used as examples of open source vulnerability risks but it must be remembered that once these issues were reported to their respective projects they were dealt with quickly and efficiently. An update correcting HeartBleed was released within a week of notification of the issue to OpenSSL and prior to any exploitation. An update mitigating the Log4J vulnerability was released two weeks after notification to the Apache Software Foundation (with the release escalated and published a day after it was found to be being exploited in the wild). Both of these vulnerabilities were also examples which required skilled human researchers to discover and were not detected by automated tools.
What caused these, and other vulnerabilities, such as the Apache Struts issue in 2017, to be widely exploited was a failure of businesses mitigate in a timely manner: either by updating to a new release or applying mitigations.
While part of the solution may be to ensure companies know what they’ve included in their supply chain, they will also need to have processes for rapidly handling and disclosing vulnerabilities in their dependencies.
Users of open source software also need to keep track of lifecycles and ensure the projects they are using are still getting security updates.
- One of the most valuable things businesses that use open source can do is contribute back. Help fix bugs. Conduct security audits and feed back the results. Cash, while welcome and useful, isn't sufficient. We eagerly welcome audits and fixes from any source. We have a process defined for doing so: https://www.apache.org/security/. Our one caution is that we have prior experiences with audits and it is not productive when those audits produce a number of false positives. See Feedback from The Apache Software Foundation on the Free and Open Source Security Audit (FOSSA). It is worth noting that many automated means of performing an audit are more suited to detecting bugs inside a single component rather than identifying a vulnerability that is composed of combination of intentional features such as the one we saw with log4j. It is better when these audits are performed by skilled resources who are able to accurately identify actual issues, produce fixes, and therefore reduce the burden on each project.
Open Source projects should prioritise publishing machine readable security metadata quickly after a critical security issue is public. Many For example, many end users and tool vendors look to information published in the MITRE CVE database and in the downstream NIST NVD database. During 2021 MITRE have given CVE naming authorities (such as the ASF) the ability to publish information rapidly . Future changes are being made to that format and process in 2022 which evolve and enhance that capability.For example for Log4J, the CVE was live on cve.org with full machine-readable metadata including affected versions in under 30 minutes from release.For projects outside of the ASF, initiatives from platforms such as GitHub give projects the ability to obtain CVE names and publish vulnerability metadata. Other Open source projects which are deemed critical should work with the CVE project to become CVE naming authorities, allowing them to provide rapid publication and consumable updates in machine readable formats.
- We support the notion of identifying critical components. As our software is without cost and can be downloaded by anybody, we have no way of knowing how widely our projects are used. This means that by necessity determining if a component is critical can only either be determined by automated means which is always going to be incomplete and imperfect, or more manually such as by identifying critical products first, and then getting an inventory of what components those products embed. This problem is not unique to the ASF, so it makes sense for there to be industry standards and best practices. We are prepared to participate in these activities.
- As noted above, vulnerabilities can be a result of a how a number of components are combined.
The owner of a system is best placed to determine the criticality of that system and the degree to which individual components contribute to that criticality.
Criticality depends on usage. We need to avoid solutions that create burdens for all system owners using a software component when the component is only critical for some systems.
...