‘Who You Gonna Call?’ OSS Security Stakeholders Urged to ‘Cross Streams’

In the seminal ‘80s sci-fi comedy, “Ghostbusters,” the protagonists were warned about the potential catastrophic impact of crossing their ghost-busting proton energy streams. Of course, (spoiler alert), the act of crossing the streams ends up being the solution at the film’s climax.

In the open-source software (OSS) community, “upstream” stakeholders (developers and software creators) and “downstream” stakeholders (consumers and end users), often work without input from one another. Two experts say it's time for the stakeholders to “cross streams” to address potential vulnerabilities.

During their presentation at the inaugural VulnCon conference in Raleigh, N.C., presenters Christopher Robinson, director of security communications at Intel Product Assurance and Security, and Madison Oliver, senior security manager at GitHub, said the open-source software ecosystem’s complex framework warrants a unified approach.

“I would like to make the argument that crossing streams and open source is absolutely necessary and exactly what we need to be doing,” Oliver said. “We are very much advocating that all decisions should be crossed. Do not be afraid to go upstream, don’t be afraid to go downstream … Disclosure ultimately is a human process. And people have feelings and individual motivations. We don’t always see eye to eye. When there is a vulnerability, it is a time of anxiety all around.”

Related:5 Big Ideas from VulnCon 2024

Both the party reporting a vulnerability and the party maintaining the impacted data need to have clear lines of communication -- whether they are upstream or downstream in the ecosystem, the presenters said.

“It really helps ensure that the maintainer of the project has access to the resources they need to be able to analyze the problem, perform tests to validate, and then be able to develop a patch … so, it’s very important that developers have access to that communication [with downstream stakeholders),” Robinson said.

OSS Unique Vulnerability Considerations

Open-source software development poses its own set of challenges when it comes to managing vulnerabilities, Oliver told the audience.

“There are a lot of reasons why OSS CVD (coordinated vulnerability disclosure) can be difficult,” she said. “Determining who and how to contact somebody is quite complicated … Who do I tell? And how can I share this with them? And it’s even more complicated with open source because the project could no longer be maintained -- it could have transferred ownership.”

Because of that complexity, OSS CVD can be a longer process than other disclosure processes.

Related:Ground Rules for Open-Source Software Management

Robinson and Oliver say stakeholders working with vulnerability issues with open-source software products can get assistance through the Open Source Security Foundation, a community of software developers and security engineers. “We are a group of people dedicated towards trying to help raise the security profile of open-source software for the whole ecosystem,” Robinson said.

Building an OSS Security Team

While it can be a challenge, organizations should consider building a team to address the unique security concerns surrounding OSS. “We recommend building some sort of security team,” Robinson said. “It’s much easier to get these things established before there’s a crisis, as opposed to trying to put the wings on the airplane while it’s taking off.”

The security effort should involve both upstream and downstream stakeholders who can have important conversations outside public view. “You should also have some means to develop patches privately that’s not in your public repository, because the bad guys are constantly monitoring the source code repositories. Having the means to privately test and develop a patch is critical.”

Generative AI and OSS Security

With the use of GenAI technology booming in all sectors, there are concerns around OSS vulnerability to AI attacks. So far, “Folks using generative AI to find vulnerabilities has had mixed results,” Oliver says in a response to a question from InformationWeek. “Up to this point, the negative impact I’ve seen is that it’s really getting more noise and making more things for open source maintainers to have to respond to -- I’m hoping over time that will improve.”

Related:Open Source Unlocks Possibilities for Innovation and Modernization

Intel’s Robinson says GenAI security is a top concern. “We have a working group dedicated toward AI and ML (machine learning) security. And they are collaborating with a bunch of other foundations across the ecosystem.”

Oliver notes, “It’s just another layer of complexity.”