Linux and LISH release census for open source security

The Linux Foundation’s Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH), announced the release of ‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software.

This Census II analysis and report represent important steps towards understanding and addressing structural and security complexities in the modern-day supply chain where open source is pervasive, but not always understood. Census II identifies the most commonly used free and open-source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of FOSS. Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security.

“The Census II report addresses some of the most important questions facing us as we try to understand the complexity and interdependence among open-source software packages and components in the global supply chain. The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that result in trust and transparency in software,” said Jim Zemlin, executive director at the Linux Foundation.

Working in collaboration with Software Composition Analysis (SCAs) and application security companies, including developer-first security company Snyk and Synopsys Cybersecurity Research Center (CyRC), the Linux Foundation and Harvard were able to combine private usage data with publicly available datasets and develop a methodology for identifying more than 200 of the most used open-source software projects, 20 of which are detailed in the findings. For the detailed methodology and list, including elaboration on each project, please read the report.

“FOSS was long seen as the domain of hobbyists and tinkerers. However, it has now become an integral component of the modern economy and is a fundamental building block of everyday technologies like smartphones, cars, the Internet of Things, and numerous pieces of critical infrastructure. Understanding which components are most widely used and most vulnerable will allow us to help ensure the continued health of the ecosystem and the digital economy,” said Frank Nagle, a professor at Harvard Business School and co-director of the Census II project.  

With FOSS constituting 80-90 percent of all software, it is more important than ever that we understand what FOSS is most used and where it could be vulnerable to attack. The increasing importance of this has been underscored with US government agencies pushing for deeper insights into the software building blocks that make up various packages and devices via a software bill of materials (SBOM). For example, in April 2018, the leaders of the US Congress House of Representatives Energy and Commerce Committee sent a letter to the Linux Foundation, acknowledging the critical importance of FOSS and exploring the opportunities and challenges related to FOSS.

The increasing importance of FOSS throughout the economy became critically apparent in 2014 when the Heartbleed security bug in the OpenSSL cryptography library was discovered. By some estimates, the bug impacted nearly 20 percent, or half a million, of secure web servers on the Internet. It was the impetus for the Core Infrastructure Initiative, which has raised millions of dollars for open source security in just the last six years.

“Open source is an undeniable and critical part of today’s economy, providing the underpinnings for most of our global commerce. Hundreds of thousands of open-source software packages are in production applications throughout the supply chain, so understanding what we need to be assessing for vulnerabilities is the first step for ensuring long-term security and sustainability of open-source software,” said Zemlin.