Dan Conn, Developer Advocate, Sonatype
State of Open: The UK in 2023
Phase One: “A Year in Review”
The cybersecurity landscape, as highlighted since July, by OpenUK CISO Andrew Martin, underscores the urgency of robust measures. Major incidents include a Twitter data breach, a surge in cyber attacks, and a geopolitical twist with Russia attributed to a cyber attack on Montenegro. The open source community, exemplified by the OpenUK State of Open Con, actively addresses these challenges. Key insights include the prevalence of vulnerabilities in transitive dependencies and the need for securing open source projects. Collaborative efforts, such as the Open Source Software Security Initiative, are advocated, emphasising dependency management, code review, and collaboration with entities like Linux Foundation and government agencies for a resilient cybersecurity posture.
THOUGHT LEADERSHIP: SECURITY LANDSCAPE UPDATE
Dan Conn, Developer Advocate, Sonatype
A lot has happened since OpenUK CISO Andrew Martin, gave July’s report.
Straight off the bat at the end of July, we saw a data breach involving 5.4 million Twitter accounts being sold in a database from criminal hacker, devil. This was a reminder that security will affect all of us. It also requires thought, investment and intelligence to get right. A point further compounded by Check Point Research66 showing a 38% increase in cyber security attacks in 2022. I don’t think it would be risky to bet on 2023 making a further increase.
The devastating conflict in Ukraine continues to ravage. One unexpected, related event resulted in Montenegro, a NATO ally, attributing Russia for a sustained cyber security attack attacking their government servers. This was later claimed by the Cuba ransomware group (not thought to be related to the Republic of Cuba). As Longeren and Smith tell us, attribution is a very difficult subject for any cyber threat intelligence analyst. I hope Open Source Software initiatives such as the EU based OpenCTI project68 can help provide more data in these areas.
Along with 9.9 million records breached in October 2022 (thankfully not personal data this time69, one thing that is for sure is the overwhelming amount of cybersecurity attacks that occur and continue to do so.
So how does this fit with Open Source? Well, as was witnessed through the inaugural OpenUK State Of Open Con 2370 a lot! The security track was filled with discussion on how to secure supply chains, how SBOMs will help with that, and that Open Source is not immune to this challenge. As quoted in some talks at the conference, statistics from the Sonatype State of the Software Supply Chain report71 show that 6 out of 7 project vulnerabilities come from transitive dependencies and request volumes from package ecosystems (Maven, PyPI, npm and Nugent) are estimated to have reached 3.1 trillion for 2022, meaning work is needed here to ensure our Open Source projects are not vulnerable for those that use them.
On day one, a keynote from Anjana Rajan, Assistant National Cyber Security Director, Technology Security Directorate, The White House, announced a collaborative project called the Open Source Software Security Initiative, combined with the work CISA were doing to encourage the use of SBOMs in the community, and a push towards memory safe languages, can help our Open Source cyber resilience. The Department for Culture, Media and Sport (DCMS) Head of Cyber Resilience Policy, Naomi Gilbert, explained that a call for views has been published on software resilience and security, and Open Source is expected to play a unique role in this area.
Day two started with Sal Kimmich’s keynote “Regulation by Telemetry: How to Fix OS Security by 2030” with some very bold ambitions, which I believe we can achieve. Throughout the two days, ways of improving our Open Source security posture came out: dependency management, code review, threat modelling, penetration testing and the need to secure cloud and Kubernetes infrastructures. It is a tall ask, but by coming together and collaborating in the unique way Open Source does, fostering relationships with governments and organisations such as Linux Foundation, NCSC, NIST, OWASP, OpenSSF, CNCF, Apache, and others, means that nothing is insurmountable.