Securing Open Source Software - End-to-End, at Massive Scale, Together

Conference:  BlackHat USA 2021



The presentation discusses the need for coordinated and strategic efforts to reduce vulnerabilities at scale in the open source ecosystem.
  • Traditional vulnerability research and ongoing CVEs can only do so much in reducing vulnerabilities at scale
  • The threat model and attack surface of open source software needs to be analyzed and understood by consumers and implementers
  • Enhanced testing and adoption of traditional software engineering practices like static analysis, fuzzing, and peer code review are necessary
  • Participation in coordinated vulnerability disclosure and the use of software bill of materials can reduce end risk for consumers
  • Concentrating resources on critical libraries, components, and projects can provide the most impact
The presentation shares a story of a security researcher who found a critical bug in an open source cryptographic library but had difficulty finding the developer or maintainer to report it. The lack of a centralized place for developers to hang out and the involvement of multiple parties, including a commercial security package vendor, made the process of coordinated vulnerability disclosure challenging.


Open source software is a significant part of the core infrastructure in most enterprises in most sectors around the world and is foundational to the internet as we know it. Consequently, it represents a massive and profoundly valuable attack surface. Each year more lines of source code are created than ever before - and along with them, vulnerabilities. Consequently, we are minting vulnerabilities faster than our current techniques can discover and remediate them. We haven't yet seen the true potential of techniques for finding vulnerabilities at scale, and there are reasons to believe attackers may get there before we can.The combination of distributed community-driven development, public-facing deobfuscated source code, inconsistent use of security reviews and tooling, and the prominence of many key FOSS projects as the core infrastructure of enterprises around the world and of the internet itself means that the unique model that has made open source software projects and development lifecycles so impactful is also that which has historically made them difficult to secure. These are the problems we were aiming to solve with the creation of the Open Source Security Foundation. In this presentation, we’ll share key lessons learned in our experience coordinating the industry-wide remediation of some of the most impactful vulnerabilities ever disclosed (Heartbleed, Shellshock, Rowhammer, and BlueZ), present a threat model of the many unmitigated challenges to securing the open source ecosystem, share new data which illustrates just how fragile and interdependent the security our core infrastructure can be, debate the challenges to securing OSS at scale, and speak unspoken truths of coordinated disclosure and where it can fail. We will also discuss research advances that are making it easier for adversaries to find and exploit vulnerabilities at scale, and offer guidance for how members of the security community can get involved and contribute meaningfully to improving the security of OSS - especially through coordinated industry-wide efforts.This presentation will include the official launch announcement of Open Source Security Foundation's (openssf.org) grant program for security research projects to help secure the open source ecosystem!