Lack of resources for maintainers poses a risk to the growth of Open Source in Africa

At a two-day conference last week at the United Nations in New York, technology experts and international policymakers outlined the benefits that open source software (OSS) can bring to the world, particularly in providing affordable technology to underserved countries in Africa and beyond. But to make the most of OSS’s promise, security must go hand in hand with application development.

Philip Thigo, the Kenyan government’s special envoy for technology, pointed out that in a world where exclusion from prosperity is the norm, OSS provides a way for more people to participate in coding and application development. He noted that GitHub, for example, has over 300,000 developers from Kenya and over a million from Nigeria.

“In the era of the Sustainable Development Goals, where we need to end extreme poverty but also leave no one behind… open source is becoming almost intrinsic or integral to everything we do,” he told the participants At 2024 UN Open Source for Good Programme Officers Conference July 9th.

To achieve these goals, every nation must also focus on ecosystem security, said Omkhar Arasaratnam, CEO of the Open Source Security Foundation (OpenSSF), who spoke at the conference. Dark Reading.

“We think it’s great that open source can help in all these areas and create a community, but of course the prerequisite is that it’s secure,” he says. “The last thing you want is for a part of the global majority to face, for example, food safety and cybersecurity issues because of insecure software.”

Sub-resources: Warnings about the dangers of open source

Companies looking to secure the open source components used in their application development efforts (the “demand side,” as Arasaratnam calls it) have many tools and services available. But too often, open source maintainers and contributors to projects, including in Africa, lack funding and resources for security. In fact, many of them volunteer on the projects or are the only person on the team.

“Demand is the easy part, it’s the supply that we need to focus on,” he says. “Remember, a lot of these programs, a lot of these core open source projects are single-maintainer projects that happen to be incredibly popular.”

THE Coordinated attack on XZ Utils project highlights the large-scale threat. In this incident, a sophisticated group targeted the project’s sole, overworked maintainer for three years. Members of the attack group assumed various identities to criticize him and offer help. Ultimately, the attackers gained maintainer privileges and integrated exploitable code.

The attack on the XZ Utils project, which could have compromised the many other projects that depend on it, holds important lessons: not only is supply chain security important, but such attacks can be stopped. Arasaratnam pointed out that one of OpenSSF’s free tools, Scorecards, highlighted the riskiness of the XZ Utils project, and that other projects have used these tools to detect similar social engineering efforts.

“The good news is that after hearing about the attack, a number of other open source projects identified a very similar modus operandi of actors trying to do the same things,” he says. “But because those projects had much more resources, they weren’t exposed to it.”

Creating a Secure Open Source Ecosystem

To strengthen security and avoid the dangers of underfunded projects, companies have several options, starting with determining which OSS their developers and operations rely on. To this end, Software nomenclatures (SBOM) And software composition analysis (SCA) Software can help enumerate what’s in the environment and potentially help reduce the number of packages companies have to audit and manage, says Chris Hughes, chief security advisor for software supply chain security firm Endor Labs.

“There are just so many software programs, so many projects, so many librariesthat the idea of ​​… actively monitoring all of them is just — it’s very difficult,” he said.

Finally, training developers and package managers on how to produce and maintain code securely is another area that can yield significant gains. OpenSSF, for example, has created a free LFD 121 course as part of this effort.

“We’re going to be developing a course on security architectures, which will also be released later this year,” says OpenSSF’s Arasaratnam. “As well as a course on security that’s not just for engineers, but also for technical leaders, because we think that’s a critical part of the equation.”

The group has also focused on working with the Cybersecurity and Infrastructure Security Agency (CISA) to identify critical open source projects. The group is developing and funding the creation of tools such as OpenSSF Scorecard, to document the security posture of specific packages, and Sigstore, a digital signature that can validate the security claims of a software package. Finally, Arasaratnam says OpenSSF has helped secure the repository platforms where open source packages reside, including PyPI, Ruby GemsAnd npm, the Node package manager.

Add a Comment

Your email address will not be published. Required fields are marked *