The Future of Open Source in the
Secure Supply Chain

By: Luke Hinds

When asked to reflect on March 2020, most people will recall an unsettling global environment as governments and international organizations grappled with the uncertainty of the COVID-19 pandemic. Technology leaders, however, may have a different perspective. In the midst of country-wide lockdowns, digital transformation began accelerating more quickly than ever as masses of workers were forced to establish working environments in their homes and rely on cloud-based platforms to collaborate with colleagues. As cloud demands increased, so did security risks and vulnerabilities, leading to calamitous supply chain security issues—the impact of which was felt across industries and open source communities.

The rise of industry-agnostic security threats

On March 26th, 2020, Texas-based software company SolarWinds unknowingly released a hacked update of their Orion software. The compromised update proceeded to infect over 18,000 customer machines with command-and-control servers. Many notable tech companies, including Intel, NVIDIA, Cisco, Belkin and VMWare, later confirmed they had seen infected computers running the Orion platform. Eventually we would learn that the attack’s blast radius went beyond commercial technology vendors—it penetrated right into the heart of the United States government. The attack, which was believed to have originated from the Russian Foreign Intelligence Service, led to the compromise of computer networks within the United States Department of the Treasury, Department of Justice, Department of Energy, and The Pentagon.

Shortly after the SolarWinds attack, we learned of another major security compromise–this time targeted at a specific site. In May of 2021, the Colonial Pipeline suffered a ransomware cyberattack that impacted the computer systems used to manage the pipeline. Because the Colonial Pipeline is the largest pipeline system for refined oil products in the United States and provides 45 percent of the East Coast’s fuel, the attack resulted in an emergency declaration across 17 states. Furthermore, the Colonial Pipeline Company voluntarily shut down the main pipeline to avoid additional attacks. The Colonial Pipeline Company paid the hacker group Darkside a ransom of 75 bitcoins, equal to $4.4 million at the time, to resolve the issue. This event is regarded as the largest cyberattack on oil infrastructure in the history of the United States.

The SolarWinds and Colonial Pipeline attacks had a significant impact, leading to an executive order to improve the nation’s cybersecurity. Tech giants, government agencies, and everyday Americans were able to witness how devastating cyberattacks of this magnitude could be. A new reality began to settle in—without the proper security, hackers have the ability to disrupt critical infrastructure from countless miles away using only a laptop.

The development of open source security solutions

In the midst of these major infiltrations on proprietary software, the open source community also began to see an uptick in attacks against open source-software—a massive 650 percent increase as reported by Sonatype—using typosquatting and malicious code injection. The Codecov attack allowed hackers access to customers’ sensitive data, and GitHub faced multiple attacks using stolen security tokens via continuous integration systems like Travis-CI and Heroku.

Open source software supply chains are undeniably exposed to hacking risks, making the potentially disastrous outcomes of a hack—considering the proliferation of open source in all sectors of industry—all the more troubling. In response to the world’s growing security concerns, leaders from across industries, including finance, academia, telecommunications, and technology, came together to form the Open Source Security Foundation (OpenSSF) in August 2021. The OpenSSF is a collaborative effort to improve open source software security. Specialized working groups formed within OpenSSF to focus on the many different domains within open


Latest Updates

Subscribe to our YouTube Channel