When it comes to open-source projects, the code is shared publicly by their creators, with the hope that other developers can benefit from it and that the project as a whole can improve by the contributions of a broader community.
Inspecting the source code is akin to scrutinizing the blueprint of a building to identify potential entry points that may be exploited by an intruder.
It’s difficult to dispute that the open-source movement has had a profound impact on the industry. Without it, we would have been deprived of pioneering technologies like Node.js, Python and Angular. However, it’s imperative to assess the potential risks that these endeavours may carry.
It’s reasonable to question if there are any potential drawbacks of utilising open source software.
An Illustration of PHP
In a recent incident, cybercriminals deployed social engineering strategies to target the PHP repository. Their methods were rudimentary but nearly effective, as they succeeded in patching the repository using the login credentials of one of the most renowned PHP engineers.
The vulnerability was legitimate, and the code was capable of addressing it. However, events took an intriguing twist. The hackers, in an attempt to conceal their activity, purposely left an error in the initial code and used the account of another community expert to make the required changes.
The problem was that they had added a code that, once triggered, would grant the user complete administrative privileges on the server. This means that if all the PHP-based websites had implemented the update, the administrative password for each site would have been set to “1234”.
The perpetrators attempted to insert malicious code into a seemingly harmless “correction” submission from a trusted source, with the hope that it would go unnoticed and be included in the master branch, which would be ready for public release.
This coding language is leveraged by 79.1 percent of websites worldwide, including contemporary ones like Facebook. Therefore, having access to one of the biggest data aggregation companies could be exceedingly valuable in the context of PHP.
In 2023, it was disclosed that hackers had compromised PEAR, one of the most extensively used package repositories for PHP, by swapping its package manager with a malevolent edition. This was not a one-off occurrence.
A Member of the Community
It seems that we have a compelling argument against the usage of open source projects currently. It’s valid to acknowledge that there is a potential threat of nefarious actors exploiting open-source software.
Equally important and worth noting are the benefits of the situation. The PHP community responded promptly to both occurrences, preventing the virus from spreading rapidly. While the PEAR attack caused some harm, the second one was detected and halted before it could cause additional damage.
Numerous developers are working tirelessly on open-source projects, scrutinizing each modification, addressing concerns, and optimizing the code for the greater good of the community. Similar to a living organism, open-source software advances and develops over time.
Although PHP has been targeted by hackers in the past, it won’t be the only open-source project to face such threats. As a counterpoint, it’s noteworthy to mention that the project’s dependence on its git repository was also a significant vulnerability. In the aftermath of the recent security breaches, the developers of the project have decided to move the codebase to the more secure platform of GitHub.
Although there are potential risks associated with open-source technology, Django has emerged as a dependable solution thanks to the developers’ unwavering dedication to security since the inception of the project.
Therefore, a significant and devoted community can offer an additional layer of protection. In instances where the original developers may not have detected any concerns in their code, a second set of eyes can often identify them. As a matter of fact, there are occasions when an open-source project is actually more secure compared to its counterparts.
Learning from Naughty Dog
Naughty Dog is a highly regarded video game development studio that has launched some of the most lauded titles in the PlayStation industry. Regrettably, their most ambitious project was compromised in 2023 when all the footage was leaked ahead of its release.
There were speculations that an unhappy programmer had instigated the attack in an attempt to undermine the company, among other rumours that were circulating. However, the actual story was not as captivating.
The individuals who leaked the files were actually fans who discovered the method to gain access to Naughty Dog’s Amazon Web Services S3 server via the patches of one of the company’s other projects. After a thorough investigation, it was uncovered that the files for the ongoing project had already been uploaded in the server.
It’s comprehensible how such vulnerability could be exploited, but some of the most significant cyber-attacks have resulted from a lack of vigilance. The developers may have been using the same methods across various projects without any apprehension, as no such incidents had taken place before.
Maintaining an active community guarantees that oversights such as this can be promptly detected. With several pairs of eyes scrutinizing the same code, the likelihood of identifying an issue and suggesting a resolution is notably enhanced.
Open source operates on the notion that numerous people collaborating together can achieve more compared to a solitary engineer working alone.
Can this problem be solved?
There’s no denying that each project comes with some level of risk, but open source initiatives introduce their own set of distinctive challenges. Nevertheless, the benefits of using open source software in pursuing a project outweigh any possible disadvantages by far.
Using open source software without proper caution can pose a security threat. Developers must meticulously scrutinize the source code and explore the potential security hazards linked with a library prior to its integration. Neglecting to do so could lead to unfavourable outcomes.
The most efficient way to incorporate security into the design process is to involve engineers who prioritise security, create a dependable software development framework at the project’s onset, and employ a stringent testing protocol.
Similar to the hazards of riding a motorcycle without a helmet, utilising open-source technology without comprehending the likely security hazards and taking requisite precautions can be extremely dangerous.