FEATURE : CYBERSECURITY
A recent example involved the Log4Shell vulnerability , as referenced earlier , discovered in the widely used Log4j library in 2021 . Although the flaw wasn ’ t intentionally inserted , it underscored how a single vulnerability in an OSS library can cascade through countless systems , creating widespread disruption . For defense contractors , such risks are multiplied ; an adversary exploiting OSS vulnerabilities could exfiltrate sensitive data , disrupt critical operations , or compromise the effectiveness of mission-critical systems .
The ramifications extend beyond immediate operations . For military systems , compromised software could undermine confidence in defense capabilities , potentially deterring allies or emboldening adversaries .
OSS ’ s strengths are also its greatest weaknesses . Unlike proprietary software , where the source code is tightly controlled , OSS is publicly available . While this openness fosters innovation , it also allows malicious actors to insert vulnerabilities or exploit existing ones . growing recognition that OSS security is fundamental to both defense contracting and national security .
A final consideration is the update process for OSS code .
Software vulnerabilities are often discovered that require updates . If someone downloads OSS and builds it into their code , who goes back a few years later to see if that OSS has been updated ? According to Synopsis , the answer is quite often no one .
A Synopsis 2024 Open-Source Security and Risk Analysis Report found that 91 % of codebases contain components that have had no new development in over two years and contained components that were 10 versions or more behind the most current version of the component . The findings didn ’ t get a whole lot better after 2 years as the study also found that 89 % of codebases still contain OSS that is more than 4 years out of date . So , relying on other companies to do the security analysis and vetting of OSS for you might not be such a safe bet .
Nation-state actors are particularly adept at exploiting OSS flaws . A notable example is the 2017 Equifax data breach , where attackers exploited a vulnerability in Apache Struts , an open-source web application framework , to gain unauthorized access to sensitive data of approximately 145 million Americans .
In another example , Microsoft researchers have found that the North Korean group ZINC has been identified as “ weaponizing a wide range of open-source software including PuTTY , KiTTY , TightVNC , Sumatra PDF Reader and muPDF / Subliminal Recording software installer ” to attack unsuspecting organizations with malware after using those varieties of OSS .
The regulatory landscape is evolving to address these challenges . The Department of Defense ’ s Cybersecurity Maturity Model Certification ( CMMC ) 2.0 framework emphasizes adherence to robust cybersecurity practices , with an increased industry focus on maintaining Software Bills of Materials ( SBOMs ) that document all open-source components and their origins . While not explicitly mandated under CMMC 2.0 , SBOMs are increasingly recognized as essential for managing supply chain risk .
Additionally , Executive Order 14028 on Improving the Nation ’ s Cybersecurity mandates enhanced software supply chain security measures . Federal agencies are now required to obtain SBOMs from vendors of critical software , with specific provisions addressing the risks posed by open-source dependencies in these systems . These evolving requirements reflect a
Mitigating the risks associated with OSS requires a multi-faceted approach . For organizations operating in national security , the following steps are crucial :
1 . Improved Transparency : Defense contractors and other critical organizations need greater visibility into their software supply chains . Tools that map software dependencies can identify components of questionable origin and highlight potential risks .
2 . Enhanced Governance : Establishing stricter guidelines for OSS usage in sensitive systems is essential . This includes conducting rigorous code reviews , implementing robust version controls , and mandating compliance with security standards .
3 . Collaborative Threat Intelligence : The defense sector must collaborate with government agencies , industry peers , and OSS communities to share threat intelligence . By identifying and mitigating vulnerabilities collectively , the industry can stay ahead of adversarial threats .
4 . Investment in Secure Development Practices : Organizations must prioritize secure coding practices , including regular penetration testing , automated vulnerability scans , and adherence to best practices for OSS integration .
5 . Adoption of Zero-Trust Architecture : Implementing a zero-trust model can limit the impact of potential OSS vulnerabilities . This approach treats every component as a potential threat , enforcing strict access controls and continuous monitoring . p
www . intelligentcio . com INTELLIGENTCIO NORTH AMERICA 55