Hot Topics
Application Security DevOps Security Bloggers Network 
SBN

Open Source Basic Practices for Higher Quality Code to Fundamentally Strengthen Your Project

by Aaron Linskens on November 9, 2022

Sonatype has partnered with the Cloud Native Computing Foundation (CNCF) for Security Slam, an event to help improve the security of open source projects. To extend the value of this event, we created a series of blog posts on best practices for open source maintainers.

Here in the third and final post of our series, we focus on a few basic practices for higher quality code to help fundamentally strengthen your project. A strong foundation on which to build and grow your project starts with a return to fundamental practices that keep contributors and maintainers on the same page.

Modern Threat Vectors: an Ongoing Story

Open source software, by its very nature, is built by the community, for the community.

However, open source projects that gain even a modest level of visibility deal increasingly with more and more attacks by bad actors.

Bad actors no longer wait for public disclosure of vulnerabilities. They forge their own paths to gain unauthorized access and extract data. While they continue to carve out more threat vectors, a few current popular methods include:

  • Repository hijacking – They hijack a maintainer account and publish malicious packages to the repository.

  • Typosquatting – They try to trick developers into downloading deliberately misnamed malicious packages meant to closely resemble legitimate packages.

  • Dependency confusion – They trick an installer script into pulling a malicious code file from a public repository rather than the intended file with the same name from a private repository.

Recently, we see these tactics play out in a few notorious cases, such as a popular npm project, a PHP Git server hack, and a flood of dependency confusion PoCs on PyPI projects.

Opportunistic bad actors continually find new threat vectors and constantly renew tried-and-true tactics of attacking software projects. For open source (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Aaron Linskens. Read the original post at: https://blog.sonatype.com/open-source-basic-practices-for-higher-quality-code

Aaron Linskens , , , , ,

Secure Guardrails