OpenSSF GM Brian Behlendorf on the Future of Security
SEATTLE — When we first started developing open source software, recalled Brian Behlendorf, Open Source Security Foundation (OpenSSF) general manager, at CloudNativeSecurityCon, we really didn’t consider security. That, as we all now realize, was a mistake.
A big, big mistake.
Then, Behlendorf recalled in his keynote, when we could get away with using SMTP (Simple Mail Transfer Protocol) for email, which wasn’t secure by default, “we took it for granted that we could trust software layers below us so that we could build the kinds of things we wanted to build. We left security decisions to future generations.”
The Future Is Now
It was a different time, and the future is now.
Or, to put it another way, the security interest on our technical debt has come due. Some groups, such as Trellix, Behlendorf said, have taken it into their own hands to pay off some of that debt. After discovering a 15-year-old CVE-2007-4559 Python vulnerability, Trellix took it upon itself to patch this path traversal vulnerability in over 61,895 GitHub projects.
At the same time, Behlendorf noted, new threats have risen. Thanks to ChatGPT, GitHub CoPilot and other artificial intelligence (AI) tools, we can expect to see far more spear-phishing attacks on open source projects and AI-spoofed contributors that will place malicious backdoors into source code.
This isn’t science fiction. Behlendorf said, “This is going to happen this year.”
I agree. It’s not if AI-driven open source code attacks will happen, it’s when.
What to Do?
So, what can we do about it?
Well, one thing that Behlendorf thinks we really, really shouldn’t do about it is for the European Union’s Cyber Resiliency Act (EUCSA) to pass as it currently stands. As is, it would make developers personally liable when their software is used for illegal purposes. That bone-headed idea is an open source software killer. Besides, Behlendorf added, “these are not ways to solve cybersecurity problems.”
In an interview with The New Stack, Behlendorf spoke more about what we must do to protect our code. We can already see, he said, much of that is already happening. For example, we’re “moving more projects to memory-safe languages such as Go and Rust.” He also added, we’re seeing more demand for not only SBOMs (software bills of materials), but for signed code using Sigstore.
We also need to adopt, Behlendorf warned, new attitudes about securing our code. For example, “There is no such thing as true zero trust architecture. While zero trust reduces the attack surface, we can’t avoid assumptions, bias, and defaults that will always make Identity and Access Management (IAM) a security problem.”
In addition, Behlendorf continued, “attacks that we think are hard to do will only get easier over time.” And, as these attacks get easier to do, others will “learn how to automate them for the bottom feeders.”
And, in the end, “Given enough time, all bugs will be exploited. Software is not gold in a safe, they’re heads of lettuce rotting away. Software needs an expiration date, after which a CVE should be issued.”
In the meantime, the cloud native community and the OpenSSF are working on improving security from many different angles. Hopefully, they’ll be sufficient to guard our software against the new incoming wave of attackers.
Learn more about OpenSSF’s plans to make open source software more secure in this On the Road episode of The New Stack Makers, which features an interview with Behlendorf recorded at Open Source Summit 2022, in Austin, Tex.