Protestware: what organisations should be aware of when using open source software

The recent inclusion of 'protestware' in popular open source software (OSS) codebases highlights some emerging risks to organisations that rely on OSS.

Key takeouts

There have been recent incidents of 'protestware' or malicious codebeing incorporated within open source software (OSS) codebases.

Organisations who rely on business critical software which contains OSS may be subject tosecurity and business risks.

Organisations should implement policies and procedures tomitigate again risksassociated with the use of OSS.

Open source software (OSS) is ubiquitous in commercial software. Both in-house and external developers use community-sourced code from public repositories such as GitHub to more efficiently build, test, launch and maintain software. This shortens release times and helps organisations gain competitive advantage.

While the OSS community generally functions as a gatekeeper for quality control, the sheer volume and widespread use of OSS means that there are still risks associated with its use.

On 8 March 2022, the maintainer of node-ipc, an OSS JavaScript library that is downloaded approximately a million times a week, released an update containing protestware. The release included obfuscated code that determined the approximate location of machines running the software. If the IP address was geocoded as Russian or Belarussian, the software traversed the users filesystem, overwriting any data encountered with heart symbols. The maintainer defended their additions to the module as a protest over Russias invasion of Ukraine.

The Director of Developer Advocacy at Developer Security Platform 'Snyk', which investigated and disclosed the incident, observed that it highlighted a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security. Not surprisingly, the implementation of the node-ipc protestware affected more than just its intended targets subsequent reports claimed that a US NGO running a production server in Belarus was adversely affected.

This is but one example of recent OSS protestware and other OSS-related incidents. In January, the maintainer of two open-source libraries (with more than 3.5 billion total downloads combined) issued an update that caused applications to, amongst other things, repeatedly print the word 'Liberty'. The maintainer stated that this was in protest of larger corporations using his work for free.

And in December 2021, malicious code (referred to as 'Log4Shell') was discovery in Log4j a ubiquitous OSS JavaScript library employed across numerous cloud-based services which allowed hackers to remotely access and take control of affected systems.

These incidents highlight how organisations that are dependent on OSS for business critical software, or that contract with outsourced service providers who that OSS, or products or services that contain OSS, rely on the diligence and good faith of the open-source community. This has the potential of creating a supply chain risk for the organisation.

How can organisations mitigate these risks?

To mitigate these risks, organisations should consider giving effect to the following:

Read the original post:
Protestware: what organisations should be aware of when using open source software - Lexology

Labour frontbencher advocates for open source software and regulatory innovation - Computing - February 9th, 2024
Open Source Software: Meaning, Importance, and Examples | Spiceworks - Spiceworks News and Insights - February 9th, 2024
Office of National Cyber Director Issues 2023 Year-End Report on Open Source Software Security Initiative - Executive Gov - February 1st, 2024
40 Must-Have Free Open Source Software for 2023 - Tecmint - October 16th, 2023
What Is Open Source Software and How Does It Work? | Synopsys - March 5th, 2023
15 Best Open Source Software You Must Try in 2023 - Turing - February 25th, 2023
Cyber Security Today, Feb. 24, 2023 Holes in open source software, ransomware gang tries to evade cyber insurers and more - IT World Canada - February 25th, 2023
What is Open Source Software? - SourceForge Articles - February 15th, 2023
About the Open Source Initiative | Open Source Initiative - December 28th, 2022
Comparison of free and open-source software licenses - December 20th, 2022
Building an open source software community - SAS Users - December 4th, 2022
The US Securing Open Source Software Act of 2022 is a step in the right direction - TechCrunch - November 25th, 2022
Microsoft: Hackers are using open source software and fake jobs in ... - November 17th, 2022
Open Source Software Directory - OSSD - October 23rd, 2022
Source Code for Open Source Software Components - Oracle - October 15th, 2022
We dont teach developers how to write secure software Linux Foundations David A Wheeler on reversing the CVE surge - The Daily Swig - October 15th, 2022
Learn Linux online for free with Linux Foundation Courses from edX - TechRepublic - October 15th, 2022
The Blockchain Sector is growing with the help of Open-Source Technology - Wales 247 - October 15th, 2022
GCHQ chief warns of Chinese . US open source software bill advances. Financial Stability Board on crypto regulation. - The CyberWire - October 15th, 2022
When transparency is also obscurity: The conundrum that is open-source security - Help Net Security - October 7th, 2022
You thought you bought software all you bought was a lie - The Register - October 7th, 2022
Linux Foundation Energy Gains More Industry Support to Drive the Energy Transition - PR Newswire - October 7th, 2022
State of Open Source Survey By OpenLogic To Take Place In 2023 - Open Source For You - September 29th, 2022
15-Year-Old Python Vulnerability Still Affects Over 350,000 Open-Source Projects - Spiceworks News and Insights - September 29th, 2022
How Can Open Source Sustain Itself without Creating Burnout? - thenewstack.io - September 29th, 2022
OpenAI opens doors to DALL-E after the horse has bolted to Midjourney and others - The Register - September 29th, 2022
Red Hat And NdcTech Collaborate To Deliver Solutions Based On Open Source - Open Source For You - September 21st, 2022
Paladin Cloud Joins the Cloud Native Computing Foundation - GlobeNewswire - September 21st, 2022
Open Source Software - W3 - September 13th, 2022
Understanding the hows and whys of open source audits - Security Boulevard - September 13th, 2022
New Metaverse Track at O3DCon to Tackle Big Questions and Practical Applications of Emerging Graphical Technology - PR Web - September 13th, 2022
TechOps is a mess: Open source is the solution - BetaNews - September 13th, 2022
Rezilion Recognized as SBOM Tool Provider in Gartner Emerging Technologies Trend Report on Software Bills of Materials (SBOM) USA - English - USA -... - September 13th, 2022
Open Security: The next step in the evolution of cybersecurity - SC Media - September 13th, 2022
11 Interesting Firefox Add-ons to Improve Your Browsing Experience - It's FOSS - September 13th, 2022
why the giants fight over open source - Gearrice - September 5th, 2022
Compare Files in Linux With These Tools - It's FOSS - September 5th, 2022
Microsoft and ByteDance are collaborating on a big AI project, even as US-China rivalry heats up - CNBC - August 28th, 2022
OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain - DARKReading - August 20th, 2022
How W4 plans to monetize the Godot game engine using Red Hats open source playbook - TechCrunch - August 20th, 2022
Secure Open Source Rewards' to help in preventing assaults on the software supply chain. Check out how! - Economic Times - August 20th, 2022
Free Dev Tools! But Whats the Catch? - DevOps.com - August 20th, 2022
This Company is Aiming to Do to the Guest what VMWare and AWS Did to the Host - GeekWire - August 20th, 2022
What Is Open-Source Software? (Definition and Examples) - August 12th, 2022
What is open source software? | IBM - August 12th, 2022
55+ Best Open Source PC Software for almost Everything - August 12th, 2022
80 percent of enterprises use open source software and nearly all worry about security - BetaNews - August 12th, 2022
The US Military Should Red-Team Open Source Code - Defense One - August 12th, 2022
Boeing joins the ELISA Project as a Premier Member to Strengthen its Commitment to Safety-Critical Applications - PR Newswire - August 12th, 2022
Looking for simplicity in the cloud? The future is going to be open and hybrid - The Register - August 12th, 2022
AAIS & The Linux Foundation Welcome Jefferson Braswell as openIDL Project Executive Director - The Bakersfield Californian - August 4th, 2022
Wicked Good Development Episode 13: Hacks and Ax, July Edition - Security Boulevard - August 4th, 2022
Microsoft changes its policy against the sale of open source software in the Microsoft Store - BetaNews - July 26th, 2022
BMW Group Joins the Linux Foundation's Yocto Project - PR Newswire - July 18th, 2022
Free and Open Source Software (FOSS) - UNESCO - July 9th, 2022
Know Your Enemy and Yourself: A Deep Dive on CISA KEV - Security Boulevard - June 29th, 2022
CD Foundation Announces State of CD in 2022 Report, Opens Third Annual cdCon with New Project CDEvents, New... - DevOps.com - June 10th, 2022
Samsung teams up with Red Hat for memory software development - The Korea Herald - May 25th, 2022
OpenSSF Helping to Secure Open Source Software - ITPro Today - May 25th, 2022
Only Microsoft can give open-source the gift of NTFS. Only Microsoft needs to - The Register - May 11th, 2022
This Week in Washington IP: Open Source Cybersecurity Solutions, Civil Capabilities for Space Situational Awareness and Using AI for Effective RegTech... - May 11th, 2022
Red Hat Expands Capabilities to Provide Streamlined Application Development and Delivery in the Cloud - Business Wire - April 28th, 2022
Industry 4.0 why smart manufacturing is moving closer to the edge - The Register - April 28th, 2022
Open source software and DevOps: What are they, and how can your business benefit? - SmartCompany - April 13th, 2022
Truist Joins the Open Invention Network - GlobeNewswire - April 13th, 2022
OpenMetal Joins the Open Infrastructure Foundation - PR Newswire - April 13th, 2022
An Early Test of The Adams Administration's Values and Tech Prowess - Gotham Gazette - April 13th, 2022
Open Source Software Faces Threats of Protestware and Sabotage - WIRED - April 1st, 2022
The Promise of Open Source Code and the Paradox of ProtestWare - Security Boulevard - April 1st, 2022
Software Composition Analysis Market to Witness Massive Growth by 2029 | Open Source Software, Oracle, Smartbear Software - Digital Journal - April 1st, 2022
Why now is the time to host your code in the cloud - TechRadar - April 1st, 2022
Those looking for clues to Googles search demise are asking the wrong question - TechRepublic - April 1st, 2022
Open Source Sabotage Incident Hits Software Supply Chain | eSecurityPlanet - eSecurity Planet - January 15th, 2022
Open-source software and threats to critical infrastructure. - The CyberWire - January 15th, 2022
Google wants secure open-source software to be the future - TechRadar - January 15th, 2022
Baumer, Infineon, Qualcomm Innovation Center, Percepio and Silicon Labs Select Zephyr RTOS for their Next Generation of Products and Solutions - Yahoo... - January 15th, 2022
How Open Source Is Shaping The World Around Us - Outlook India - December 19th, 2021
The Projects and People That Shaped Security in 2021 The New Stack - thenewstack.io - December 19th, 2021
Log4j: Where's Fancy Bear been? Right there, choppin' lumber... - The CyberWire - December 19th, 2021
Aqua Security acquires Argon to protect the software supply chain - VentureBeat - December 6th, 2021