Acknowledging the risks of open source dependencies to software supply chain security

Abstract

The widespread use of open-source software dependencies in software development can increase the risk of a supply chain attack against some part of the software supply chain. A supply chain attack can succeed due to a malicious or vulnerable code being part of the software project's open-source dependencies. Examining prior research done on two of the most popular open-source ecosystems, npm and PyPi, indicates that qualities such as having large numbers of direct and transitive dependencies, the interconnectedness of dependencies, trivial packages, the delay in updating a dependency, abandoned or rarely updated packages, poor security practices by the maintainers and the lack of resources and security features in the package registries are qualities in these two open-source ecosystems that increase the risk of a vulnerability or malicious code becoming a part of the supply chain. During a software project, risk management and choosing the suitable dependencies and technologies are important, and the risk presented by large numbers of dependencies against the benefits using a particular open-source package offers should be evaluated. To mitigate the risks, best practices such as the recommendations by SAFECode, and OWASP Software Assurance Maturity Model (SAMM), intended for evaluating the organization's software security practices, should be used in a Secure Software Development Lifecycle (SSDLC) for the software development processes along with secure development practices such as sandboxing third-party code. Additionally, reducing the number of dependencies can reduce the attack surface of a software and can make it more maintainable, as there can be less work in keeping it updated. Before including a package into the supply chain, it should be evaluated based on its maturity and other criteria such as the Open Source Security Foundation Scorecard or similar criteria. Several free and commercial software composition analysis tools and services offering the automated monitoring and scanning of outdated and vulnerable packages can and should be used to continuously monitor the dependencies of a project.