Is the Internet on Fire? The State of Open Source Security

Open source software powers our digital world, from critical infrastructure to consumer apps. But recent incidents, such as supply chain attacks and persistent vulnerabilities, have sparked a pressing question: Is the Internet on fire? Andrew Martin, CEO of ControlPlane, and Michael Lieberman, CTO of Kusari, explore this urgent topic, challenging us to rethink how we secure the backbone of our digital ecosystem.

This blog delves into the vulnerabilities of open source, the evolving nature of supply chain attacks, and the practices that can harden our defenses. As we reflect on KubeCon’s insights, it’s clear that securing open source is no longer just a technical issue—it’s a responsibility we all share.

‍

A common way to check the stability of our digital world is by checking if global DNS is up and running via https://www.istheinternetonfire.com/—if that fails, we know we’re in serious trouble. But even when DNS works, the unsettling reality is that the Internet is ablaze. Take the attack on the XZ compression library. This supply chain attack wasn’t exploiting technical flaws; it leveraged years of social engineering: gaining the trust of the core maintainer and pushing for co-maintainership. After gaining increased privileges, the attacker introduced vulnerabilities into the widely-trusted library. The latest stark reminder that open source software exploits have been a relentless focus for a while.

Here are some noteworthy incidents that left their mark:

• Log4Shell – The infamous Log4j vulnerability impacted millions globally.
• Heartbleed – A serious vulnerability in OpenSSL, affecting secure communication.
• Dirty Cow and Meltdown/Spectre – Kernel-level issues leading to CPU exploits.

‍

Why Open Source is Vulnerable

Open source software is vital to the modern IT ecosystem. It allows communities to review, improve, and secure software. The increasing demand for free tools and limited resources turn projects into an attack vector. Openness itself makes for a lucrative target. Attackers know that open source is everywhere—from fintech to healthcare to national infrastructure. With widespread use, malicious actors focus on introducing vulnerabilities through deliberate attacks or accidental errors by overworked, volunteer maintainers.

‍

Securing the Software Supply Chain

When discussing software supply chain security, consider everything from dependencies pulled into your application to how they're managed in production environments like Kubernetes. A supply chain attack typically involves:

• Malicious Code Insertion: A small change, often disguised in a dependency, sneaks into a package manager or repository.
• CI/CD Pipeline Compromises: Attackers slip malicious code into the continuous integration and delivery process.
• Remote Execution and Lateral Movement: Once the malicious code is live, attackers gain remote access, escalate privileges, and compromise more systems.

These threats often bypass traditional security measures, targeting subtle flaws or typographical errors (like typo-squatting in package names) to avoid detection.

‍

Mitigating Risk with SBOMs and Secure Practices

One critical defense against these attacks is adopting Software Bill of Materials (SBOM) practices, which help track software composition across the supply chain. SBOMs provide a precise inventory of dependencies, assisting organizations in understanding what’s vulnerable and where. Knowledge of the software you use is the first step. The next steps of storing SBOMs, keeping the information up to date, and correlating it with other software and services, are key for a consistently healthy software ecosystem.  

‍

Best Practices to Harden Open Source Software Security

Whether you’re a developer contributing to open-source code or an organization relying on it, following best practices is critical to mitigating risks. This includes things like signing commits, monitoring dependencies, and setting up incident response plans. Here’s what we can do to secure the software supply chain:

• Patch Quickly and Consistently: Automate patching processes and ensure quick updates for vulnerable packages.
• Adopt Defense-in-Depth Approaches: Assume breaches are inevitable. Create systems resilient to compromise by hardening infrastructure, applying admission controls in Kubernetes, and enforcing strong identity management.
• Use Security Tooling: Implement tools like SLSA for secure build practices, Sigstore for securely signing software artefacts, and GUAC for analyzing supply chain risks.
• Test and Purple Team Your Defenses: Regularly test security operations with simulated attacks to ensure teams can detect and respond to potential threats.
• Monitor the Software Lifecycle: Track dependencies from development to production. Be ready to mitigate vulnerabilities quickly.

‍

The Future of Open Source Security

The landscape of open source security will continue evolving. AI and other advanced technologies are integrating into security processes, offering the potential for automated threat detection and risk management. However, AI is software, too—and the same supply chain risks apply.

‍

Conclusion

In the end, the internet remains a vulnerable, fire-prone space. Open source is a powerful tool that fuels innovation but presents significant risks. We can secure our digital ecosystems by employing best practices, adopting SBOMs, and staying vigilant.

Let’s also remember that open source security is a shared responsibility. Businesses, developers, and security teams must work and invest resources together to ensure that the software we rely on every day is as secure as possible.