Protestware: what organisations should be aware of when using open source software – Lexology

Posted on by

The recent inclusion of 'protestware' in popular open source software (OSS) codebases highlights some emerging risks to organisations that rely on OSS.

Key takeouts

There have been recent incidents of 'protestware' or malicious codebeing incorporated within open source software (OSS) codebases.

Organisations who rely on business critical software which contains OSS may be subject tosecurity and business risks.

Organisations should implement policies and procedures tomitigate again risksassociated with the use of OSS.

Open source software (OSS) is ubiquitous in commercial software. Both in-house and external developers use community-sourced code from public repositories such as GitHub to more efficiently build, test, launch and maintain software. This shortens release times and helps organisations gain competitive advantage.

While the OSS community generally functions as a gatekeeper for quality control, the sheer volume and widespread use of OSS means that there are still risks associated with its use.

On 8 March 2022, the maintainer of node-ipc, an OSS JavaScript library that is downloaded approximately a million times a week, released an update containing protestware. The release included obfuscated code that determined the approximate location of machines running the software. If the IP address was geocoded as Russian or Belarussian, the software traversed the users filesystem, overwriting any data encountered with heart symbols. The maintainer defended their additions to the module as a protest over Russias invasion of Ukraine.

The Director of Developer Advocacy at Developer Security Platform 'Snyk', which investigated and disclosed the incident, observed that it highlighted a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security. Not surprisingly, the implementation of the node-ipc protestware affected more than just its intended targets subsequent reports claimed that a US NGO running a production server in Belarus was adversely affected.

This is but one example of recent OSS protestware and other OSS-related incidents. In January, the maintainer of two open-source libraries (with more than 3.5 billion total downloads combined) issued an update that caused applications to, amongst other things, repeatedly print the word 'Liberty'. The maintainer stated that this was in protest of larger corporations using his work for free.

And in December 2021, malicious code (referred to as 'Log4Shell') was discovery in Log4j a ubiquitous OSS JavaScript library employed across numerous cloud-based services which allowed hackers to remotely access and take control of affected systems.

These incidents highlight how organisations that are dependent on OSS for business critical software, or that contract with outsourced service providers who that OSS, or products or services that contain OSS, rely on the diligence and good faith of the open-source community. This has the potential of creating a supply chain risk for the organisation.

How can organisations mitigate these risks?

To mitigate these risks, organisations should consider giving effect to the following:

Read the original post:
Protestware: what organisations should be aware of when using open source software - Lexology

Related Posts
This entry was posted in $1$s. Bookmark the permalink.