Explore the complex landscape of open source security in this 47-minute conference talk by Rhys Arkins from WhiteSource. Delve into unsolved problems, including dependency maturity levels, open source detection, and security notifications. Learn about the challenges of remediating vulnerabilities, distinguishing between vulnerable and malicious packages, and understanding identity concepts in open source. Examine the risks associated with malicious updates, the difficulties in reviewing open source updates, and the impact of decentralization on security. Discover proposed solutions such as better publishing protection, verifiable source code through reproducible builds, and the importance of sandboxing dependencies. Gain insights into the need for minimal version selection in package managers and the ongoing challenges facing the open source security landscape.

Syllabus

Intro
Open Source Security: Navigating the Iceberg
The Enemy Gets a Vote
Dependency Maturity Levels
Open Source Detection
Security Notifications
Remediating Open Source Vulnerabilities
Important: Vulnerable vs Malicious Packages
Malicious Packages . Bad from the start - Typosquatting
Identity Concepts
Identity: Risk and Reward • Package compromise rewards are mostly predictable: • Stolen credentials
FA Challenges • Transitive dependencies
Security Multipliers
Why Malicious Updates Are Missed
Open Source Updates: Inconvenient To Review . Source control platforms are designed for reviewing your code, not someone else's you imported
All things equal, Decentralized makes Security Worse . Whenever a malicious package is discovered, the first instinct is: Why didn't the registry detect this, and how long did it take them to remove
SemVer Range Example
Uncapped Version Ranges Are An Antipattern
Version Selection: The Way Forward
1. Better Open Source Publishing Protection - Single factor authentication is unacceptable • Registries should ideally allow enforcing of 2FA for publishing • Consumers can elect to use dependencies with enforced 2FA only
2. Verifiable Source Code using Reproducible Builds . There's no point reviewing for malicious code if we're scanning the wrong code to begin with - Non-reproducible builds should be a code smell, like lack of 2FA
Open Source Dependencies Should Be Sandboxed • Today's approach to malicious open source packages can be compared to Windows 95 pre-malware tsunami . Unfortunately, no relief in sight from language ecosystems
Package Managers Implement Minimal Selection . It's madness that a malicious package release can be installed accidentally seconds after it's published, without anybody reviewing it • Minimal Version Selection should be a configurable option for package ecosystems