Securing the world’s open source, together

Securing the world’s open source, together

The following is a readout of my prepared remarks delivered at RSA Conference 2023.

Good afternoon, and welcome! Today, we’re going to talk about the security of open source software and why we each have an important role to play in securing the code we all benefit from so you can leave here with practical ways you can help secure open source. But first, I want to set the stage on how open source is intricately woven into the world around us.?

The world runs on software, and 97% of software projects include open source. In 2022, there were more than 413 million contributions to OSS projects on GitHub.com. And open source is being used by 90% of companies today.?

From your alarm in the morning to your commute into work, your emails and texts – nearly all of this software runs on open source – and much of it is built on GitHub.com. Open source has truly built the backbone of so much of what powers our global economy.?

But as the open source codebase grows, inevitably, vulnerabilities do too. Log4Shell was one of the largest zero days in recent memory given the ubiquitous nature of java found in every organization. The exploit caused far-reaching destruction, even in systems like Minecraft.

This is just one example of many that illustrates the broad destruction that vulnerabilities can create across the entire ecosystem.?

With more than 100M developers on GitHub, so much of the world’s development happens on our platform that security is not just an opportunity for us, but a vital responsibility.?

But in the true spirit of open source, we know we can’t do this alone. And in fact, I don’t think there’s really any single party that can secure open source alone. Because securing open source is a team sport. For it to be productive and secure, it must be a collective effort across those who use and contribute to open source. The developers, businesses, government entities, and more across the globe.

No alt text provided for this image

And we must empower developers who are writing the code we all benefit from because security starts with the developer experience. If we don’t get that right, nothing else matters.?

So, today, we’re going to discuss the practical ways we can come together to empower developers through education, tools, resources, and collaboration.?

Empower developers

First, with education, to really understand this problem it’s important to first recognize we have a scarcity of expertise and talent to meet the tall task in front of us. Developers vastly outnumber their security counterparts to the tune of 100 developers for every one security professional.?

What that means is developers have to play an active role in fixing vulnerabilities when – and before -- they happen while not always having the domain expertise, support, and security context to do this. And to help with this, we need to marry education and tooling that’s built with the developer in mind.

Within GitHub, we operate the GitHub Security Lab who I think have some of the coolest jobs inside our walls!? They are our dedicated team of security researchers who focus full time on improving the state of open source security. They provide best practices, training, and hands-on support for vulnerability management.?

Part of their work also includes empowering the community to code more securely by helping the broader community successfully adopt security tooling and capabilities without needing to necessarily have full-time security expertise as part of their team.

To give you an example, they maintain the GitHub Security Advisory Database which is crucial for vulnerability management in open source projects. It’s free and open for community contribution so that any developer can both contribute to it AND benefit from it today. It’s already being used by large open source communities like Go Security and Rustsec as the single source of truth for their ecosystem security advisory bulletins.?

In addition to the Advisory Database, there are lots of other tools, many of which are available for free, to empower developers to code more securely so they can stay in the flow and simultaneously get to better security outcomes for their project.

These are tools like CodeQL, Dependabot, and secret scanning that can alert the community quickly should a vulnerability be found and need to be fixed in an open source project.?

Now, each of these tools are designed with the developer experience in mind so that we can make security a natural part of any developer’s experience inside the tools they already know and love.?

And from what we’re seeing and hearing from developers, it's working! As evidence of that, in 2022, developers updated 50% more packages with dependency vulnerabilities than in 2021, helping to secure 18M projects on GitHub.?

But the more we can bring this knowledge and tooling together, the better outcomes we can create for developers everywhere.?

No alt text provided for this image

Log4Shell is a powerful example of knowledge and tooling coming together to empower developers. We’re all familiar now with how this bug came to be:?

  • The bug was introduced in 2013.?
  • The pattern was initially presented in 2016 at Black Hat by one of GitHub’s own security researchers.?
  • Then on Dec 9, 2021, the Apache Foundation disclosed the bug as a critical vulnerability, with the highest possible rating on the CVSS vulnerability scale.?
  • From there, the java world was set on fire!

Within minutes after the initial disclosure, our Security Lab had already published a security advisory to inform the community. That triggered hundreds of thousands of Dependabot alerts to more than 375-thousand open source projects to inform the open source community how to find and fix this bug.

By acting quickly to alert the community, we empowered developers across more than half of active repos to adopt the fix in just a week. From there, developers within the community came together to create a new CodeQL query to detect variants of Log4Shell.?

This empowered the log4J project maintainers to use code scanning with CodeQL on the project source repositories so that this bug never appears again in the log4j project.?

I can’t think of a more important example of knowledge, tooling and community coming together to empower developers to secure the broader ecosystem.?

I also believe AI will play a critical role for developers in the future of security.?

No alt text provided for this image

We talk a lot about “shifting security left” as an industry, but there’s no better way to do that than what we’re seeing with the advent of the AI-assisted pair programmer right there in your IDE with you, helping to make sure the code you’re writing is safe and secure as you’re bringing your ideas to code in real time.?

While it’s early days in this space, Copilot isn’t just helping developers be more productive, it’s helping them get better security outcomes, and developers are telling us they love using it.?

How often do you get to say that a tool is empowering developers to code more securely and productively all in one? It’s amazing, and it’s going to be the new standard for helping developers do their best work going forward.

Now, let’s look at the ways we can empower developers by securing the software supply chain next.?

Invest in securing the software supply chain, together?

Your software depends on someone else’s software. Which depends on someone else’s software… Which depends on someone else’s software… It’s a chain.?

Understanding and dealing with the graph problem of managing dependencies is one of the biggest risks to the supply chain when we consider that nearly all codebases contain some form of open source code. This means another person’s dependency is equally your problem to solve if you use it in your proprietary code.?

Collectively, this will require large enterprises and businesses, essentially the consumers of open source, to dedicate more resources to open source in order to empower developers to code more securely. And when I say resourcing, what I mean is the time, expertise, and funding to help secure the software supply chain because we know it can’t be achieved by knowledge and tools alone.?

And I believe our resources should first focus on empowering developers by investing further in brilliance at the basics.?

When I talk about security, I often refer back to Forrester’s Targeted-Attack Hierarchy of Needs.?

You can see at the top of the pyramid is where a lot of the fun and flashy work is happening. But too often I see an emphasis on detection and response before organizations achieve brilliance at the basics.?

Let me put it this way: Having expensive, night vision, motion-detecting cameras all around your house so that you can get real-time facial recognition on who is breaking into your house means nothing if you don’t have a lock on your front door. It’s the wrong-ordering of your security investments.?

The best way to empower your developers is to first focus on the bottom half of that pyramid–areas like a resilient strategy and good fundamentals that allow you to build the basis of a strong security program.?

As one of the world’s largest developer platforms, we believe platform security is one of the most basic ways we can empower developers to code more securely on GitHub.com.??

Why? It’s one of the cheapest and most effective ways to help secure developer accounts, which influences everything that depends on those developers downstream.

Even though multi factor authentication (MFA) is something we talk a lot about as an industry, especially since Zero Trust came more into fashion around 2016, you don’t need to look very hard to find that few have really gone ‘all in’ to embrace it, let alone driving adoption of strong authentication across the board.

As a comparison data point is that last year, Twitter reported that only 2.6 percent of active users have some form of 2FA set up. And even within our walls at GitHub, we’ve traditionally seen less than 20 percent of adoption.?

This is great in comparison, but we know the impact of doing better here is massive across the supply chain when we think about how damaging account takeover of popular maintainer accounts can be.

In fact, we started the work to require MFA in response to popular accounts on npm being hijacked and publishing compromised packages. We’ve already finished our MFA enforcement rollout on npm, and it’s largely extinguished this as an attack vector.?

That gave us the confidence to tell the world in March of 2022 that we’re going to require 2FA across all of GitHub.com by the end of this calendar year. And I’m happy to say that a few months into the actual rollout, it’s going great, and we’ve already massively driven up the adoption numbers. I’m confident we’ll hit our targets by the end of the year.

By making it easy for developers to secure their accounts, we believe this is one of the single-most important measures we can implement to help defend the entire ecosystem against supply chain attacks.? And we hope it will encourage others across the industry to follow suit.

2FA is a basic measure that has a huge impact on the broader ecosystem, but we need companies to do more in order to commit back upstream to secure the open source code we all depend on. Here are three easy ways you can jump in to help empower developers:?

First, if your company’s security team finds a vulnerability in an open source project that you’re using, it’s in everyone’s best interest to collaboratively and responsibly report that vulnerability back to the maintainers. By doing this, you are contributing back to help the project fix the bug that benefits all developers who use that project.?

Second, you can contribute money directly to initiatives that make a difference like the Internet Bug Bounty program (IBB) to further incentivize both security researchers and OSS developers. The IBB is the only bug bounty that is crowdfunded by sponsors to reward both research and remediation, and it’s an important step to recognize and reward developers on both sides to support the ecosystem.

And, finally, you can sign up to sponsor your favorite open source projects. This is why we created the GitHub Sponsors program in 2019. With Sponsors, your financial contributions directly support and empower developers who are building the open source projects your company likely depends on. As of 2023, more than $32 million dollars were given globally across nearly 13,000 open source projects by individuals and companies. If you regularly benefit from an open source project, it’s in your best interest to sponsor their work so they can apply more resources to keeping the project up to date and secure.??

Open source is part of everything we build, use, and do so it’s important to be both a responsible consumer and a contributor back to the broader ecosystem in order to support the developers who are building the open source we all benefit from.?

Contribute to transform open source software security

Now, I want to talk about how we can broaden out this collaboration beyond individuals and businesses because our government partners also have an important role that can empower developers.?

Securing open source will require strong, global collaboration to get after this issue on a financial, technical, and policy level because cyber events know no geographic or political boundaries.

I think about this work in three different ways - the policy efforts to govern open source security, our partnerships between public and private sector entities, and finally, how we all participate to support one another across these efforts.?

We really need governments and policymaking entities to be a part of the solution and work together with maintainers and the private sector to move things forward rather than a top down solution.?

Governments have a unique role in empowering developers, particularly because they have a unique opportunity to influence not just through policy, but through action.?

No alt text provided for this image

Think about it: the US government is not just a policymaking entity, it’s also the largest software buyer in the world. The rules they make, and the rules they follow about how they buy and work with software, matter immensely as that trickles through congressional legislation, executive orders, and other policy measures.?

In 2022, I had the honor of joining many public and private partners at the White House’s Open Source Software Security Summit.?

What should be encouraging to everyone in this room is that this meeting wasn’t just a photo opportunity or press conference. It was a turning point for a new level of collaboration between the public and private sector to work together to secure the critical open source dependencies we all depend on.?

We sat down and worked through security scenarios, had meaningful discussions, and made commitments that are helping move the ecosystem forward. That meeting set the stage for better public-private partnership, and it also included many substantive outcomes to push policy forward to support the work of developers everywhere.?

One example of this is the Open Source Security Mobilization Plan which was published by The OpenSSF and included collaboration across businesses, policymakers and technical experts. This plan outlines 10 areas of joint work where we can improve the security of open source software. And it’s a great entry point for companies to easily engage in broader policy efforts and common technical frameworks to work together to tackle some of these big challenges.?

Let me share a firsthand example. GitHub is actively involved in the Sigstore project in collaboration with the Linux Foundation and OpenSSF in order to drive better security outcomes across the ecosystem.

If you don’t know what sigstore is, let me explain it layman's terms: Would you eat a piece of pizza off the floor if you found it walking around Moscone? Probably not - you don't know where it came from, who made it, or let alone how clean the floor is…?

Sigstore helps developers to solve some of the problems of from whom and where artifacts came from by making it simple to produce security attestations in the form of signatures on artifacts that are backed by trustworthy public infrastructure. It’s a classic grassroots, open-source success story to help secure the software supply chain and it's already getting massive traction from some of the most critical projects powering global infrastructure, like Kubernetes.

npm is the first registry to offer this functionality publicly, and we’re also actively working with other registries, through the OpenSSF’s Securing Repos workstream, to help others do the same. By adopting sigstore, you are empowering developers to code more securely.

And there’s other good policy coming from the US government that was influenced by public and private partnership and the 2021 White House meeting.?

I believe the most recent National Cybersecurity Strategy from the Biden Administration is one of the best examples of policy designed to drive better collaboration that benefits all developers and consumers of open source. Two key details that we should all find promise in:

First, the strategy suggests that organizations in greater positions to positively impact the security of the broader ecosystem should be doing so. We agree, and frankly this is why we give away free security tooling to public repositories and open source maintainers and are spending resources on 2FA across GitHub.com because we think we are in the best position to impact OS technology on those facets.

Second, the strategy also suggests that software producers need to bear the liability and cost of security incidents. This is an encouraging development because, as it stands today, the consequences of a security issue roll down hill and are almost always borne solely by the consumer.?

Businesses in a position to do more need to step up, not just in policy, but also in how you partner and participate across the ecosystem.

Now, if you’re not a policy maker or in a position today to influence policy efforts within your company, you might be wondering how this applies to you so I want to leave you with a few ways you can get started to empower developers.

When you walk out of the room today:?

  • Look at your favorite open source project on GitHub.com and find a few bugs you can squash
  • Check out some of the free security content available through GitHub Security Lab, OpenSSF and other organizations designed to secure the broader ecosystem?
  • Where you can, adopt free tools like Secret scanning in your public repos
  • Go sponsor your favorite project! I sponsor Homebrew and a few others that I depend on, it takes just a few seconds to set it up.?

And as you begin to invest more in open source security in the future you can:

  • Dedicate resources to contribute internal security fixes upstream to open source projects and communities your organization depends on
  • Join Open SSF and seek to find ways to get involved in the Open Source Security Mobilization plan?
  • Contribute to proposed policy and legislation to influence better public sector involvement, which ultimately empowers your developers and supports your business initiatives
  • Adopt projects like sigstore and other free and open source security tooling to improve your projects and the projects you’re consuming

Securing open source starts by empowering the developer

As I said earlier, securing open source is a team sport, and the only way we can drive a more trustworthy future for everyone is to empower the developers who are writing the code we all use.?

No alt text provided for this image

This includes the education and tools to empower developers to write more secure code.?

Investing our time, resources, and funding to empower your teams to bring more support to the bootstrapped open source developers building and maintaining the code we benefit from.

And, finally, greater collaboration across all consumers of open source to make it easier for developers to code more securely.

It’s great for me to be able to share with you our perspective and some of the work GitHub is doing as the home of open source, but the beauty of open source is that it’s built and powered by people contributing to its success. It’s going to take all the other players on the field, working together, to win in this space.?

Varun Badhwar

Founder & CEO @ Endor Labs | Creator, SVP, GM Prisma Cloud by PANW

1 年

Thanks for sharing Michael Hanley. The team at Endor Labs and I are excited about the collective work our teams are doing to improve the state of open source security and governance, and software supply chain security landscape in general https://www.endorlabs.com/ghas

Adam Bateman //O

Co-founder, CEO at Push | Stop identity attacks

1 年

Great write-up Michael Hanley and good to catch up again, in real life this time!

Ashish Rajan ????????♂?

CISO | I help business Leaders solve AI & Cloud Challenges!

1 年

It was good session Michael! If you would ever want to talk about this topic on Cloud Security Podcast, we would love to have you as a guest. ??

要查看或添加评论,请登录

社区洞察

其他会员也浏览了