The Challenge of Open-Source Software SecurityPatrick Dwyer Says Open-Source Software Deserves More Resources
The Log4j vulnerability has underscored once again the widespread dependence on open-source software projects and the lurking risks.
It has also brought into question whether software projects such as Log4j, which is maintained by volunteers with the Apache Software Foundation, deserve more attention and resources given the deep impacts a security problem can have.
"We're not talking about a large corporate vendor here supplying this component," says Patrick Dwyer of the Online Web Application Security Project, or OWASP. "We're talking about a small team of open-source software maintainers."
Enterprises and organizations are scrambling to figure out if software they're running uses the logging library. The remote code execution flaw found in Log4j could allow an attacker to extract secrets from a server or take it over completely (see: Exploiting Log4j: 40% of Corporate Networks Targeted So Far).
Part of the problem is that Log4j is in hundreds of thousands of software applications. Figuring out the risk and exposure has been a challenge.
Dwyer helps develop CycloneDX, which is a specification for creating SBOMs, or software bills of material, which are lists of third-party code and dependencies within an application or device. SBOMs would have conceivably helped organizations figure out the risk of Log4j-type situations since they'd have an accurate asset inventory, he says (see Supply Chain: The Role of Software Bills of Materials).
"We would have been in a much better state to be able to prioritize that initial response," Dwyer says. "A lot of people didn't even know where to start."
In this video interview with Information Security Media Group, Dwyer discusses:
- The security challenges of open-source software projects;
- Why some open-source software projects needs enterprise-level security evaluations;
- How SBOMs can help organizations understand their exposure to vulnerabilities.
Dwyer is a member of the CycloneDX SBOM Specification Core Team and OWASP. He is also software developer lead for a government council in Queensland, Australia.