The Dot Zero Conundrum and the New Frontier of Securing Open Source

September 24, 2019 By Brian Fox

4 minute read time

Over the past two years, I’ve spoken about more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors, and even deliver targeted patches to alter proprietary code. Open source projects impacted by the malicious injections have been difficult to detect because, on the surface, they look no different than other open source contributions. These bad actors leveraged the communal nature of open source to their advantage with devastating effect in some instances. 

Understanding these types of breaches and how hackers are playing the “long game”, has been something that we at Sonatype are continuing to focus on as we expand our product capabilities. We know that cybercrime is big business. In 2016, Cybercrime outpaced the illicit drug trade by $15 billion dollars at an estimated value of $450 billion. According to Cybersecurity Ventures, by 2021, it is estimated that Cybercrime will be worth 6 trillion dollars – that’s $800 for every person on the planet. Monetizing information stolen from compromised code is the new criminal frontier. 

Our mission is to help our customers stay ahead of these and other emerging threats. To do this, we’ve had to get creative. We’ve had to think like those who stand to profit and to try to get ahead of how they leverage the open source community and their projects for nefarious purposes. Catching these breaches proactively is a hard problem to solve.

To address the next frontier of Cybercrime, Sonatype is combining a new type of behavioral analysis with machine learning and proprietary data to give our customers an indication or early warning sign, when a new release of an open source project demonstrates heightened risk attributes. Think of it as Minority Report meets precise, curated data. Our goal is to give customers a holistic view of the security of a release so they can make an informed choice about how to proceed and whether the risk they’re taking is an acceptable one. We want to give them data in context. That said, providing predictive risk intelligence about a specific release is only half of the story.

Though protecting open source code is extremely important and something Sonatype has been doing successfully for more than a decade, so too is mitigating what I like to call the “dot zero” problem. For a perfect example of the “dot zero” problem or conundrum, look no further than the latest Apple iOS release 13.0. 

The warnings are out, as is the strong language describing all the issues with this release. From disappearing folders from iCloud to a major security flaw that allows a hacker to bypass the locked screen code functionality and see all contacts, this release has been largely described as “scattershot and messy”. It’s so messy, in fact, that the Department of Defense has recommended that DoD staff refrain from upgrading to version 13.0. 

For those who have already upgraded, the damage is done. The misery of attempting to salvage files and folders and restore functionality is palpable, not to mention the number of hours of lost productivity employees and their companies will never get back. If only there had been a way to know how bad this release was before it was deployed, before the upgrade, the heartache and lost productivity. Some might say, users would have needed a crystal ball to know enough to skip the iOS 13.0 release. 

At Sonatype, we believe you need precise data and metadata in context in order to decide whether to accept a release, no crystal ball needed. 

In addition to identifying malicious activity based on commit behavior, Sonatype’s expanded Nexus Intelligence capabilities also collect real-time metadata pertaining to the quality of new component version releases. This provides another layer of insight into the integrity of every new version of a component and enables developers to automate and scale dependency management with greater piece of mind. 

Let’s face it, new versions of components are released at an overwhelming pace, approximately 20,000 per day, making it impossible for most teams to manually manage dependencies. Sonatype’s next generation Nexus Intelligence will automate this otherwise painful process and help developers update to the best and newest versions of component releases.

Precise data, in context, with a holistic view of the integrity and security of open source components and their releases is the future of keeping the highest quality, lowest risk software at the forefront of innovation. Sonatype is committed to that future. 

Tags: code quality, featured, Nexus Intelligence, News and Views, Product, Corporate Momentum, embedded malicious code

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.