The Dot Zero Conundrum and the New Frontier of Securing Open Source

Over the past two years, I’ve spoken about more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors, and even deliver targeted patches to alter proprietary code. Open source projects impacted by the malicious injections have been difficult to detect because, on the surface, they look no different than other open source contributions. These bad actors leveraged the communal nature of open source to their advantage with devastating effect in some instances. 

Understanding these types of breaches and how hackers are playing the “long game”, has been something that we at Sonatype are continuing to focus on as we expand our product capabilities. We know that cybercrime is big business. In 2016, Cybercrime outpaced the illicit drug trade by $15 billion dollars at an estimated value of $450 billion. By 2021, it is estimated that Cybercrime will be worth 6 trillion dollars – that’s $800 for every person on the planet. Monetizing information stolen from compromised code is the new criminal frontier. 

Our mission is to help our customers stay ahead of these and other emerging threats. To do this, we’ve had to get creative. We’ve had to think like those who stand to profit and to try to get ahead of how they leverage the open source community and their projects for nefarious purposes. Catching these breaches proactively is a hard problem to solve.

To address the next frontier of Cybercrime, Sonatype is combining a new type of behavioral analysis with machine learning and proprietary data to give our customers an indication or early warning sign, when a new release of an open source project demonstrates heightened risk attributes. Think of it as Minority Report meets (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Brian Fox. Read the original post at: