This post explains some specific aspects of security related to free and open source software (FOSS).
FOSS Security Risks
There are some risks that are should be taken especially into account on FOSS projects.
- Risks in common with proprietary software:
- Unmaintained software. This may happen more often on poorly funded FOSS projects maintained by a small set of volunteers instead of well funded projects backed by strong communities or renowned organizations.
- Vulnerability exploits. As FOSS source code is public, anyone can check the source code looking for vulnerability exploits. Again, the public peer review control only available on FOSS allows that these vulnerability can be also detected and shared with the more positive intention of solving it.
- Malicious code addition. As FOSS projects and contributions can be created by anyone on the internet, it may be easier for an spiteful contributor to add malicious code into the source code. On the other hand, source code allows the public peer review control that proprietary code doesn’t.
- Bad developer practices. Some FOSS projects may be badly coded or reviewed.
- Dependencies. FOSS projects may be linked to other FOSS projects that have any of the issues previously listed.
- Risks specific to FOSS:
- Namesake packages. Malicious actors may create projects with similar names to the original that includes malicious code, looking for a confusion that allows them to be used on other projects.
Lack of Maintenance
Community-driven FOSS is usually developed by volunteer, and they may not have full commitment.
Lack of maintenance may drive to: bugs, unpatched library vulnerabilities.
Malware Injection
Malicious agents may add malicious software into.
Examples of malware injection:
- npm (2022)
- PyPI
- XZ Utils (2024)
PyPI Malware Injection
Python Package Index (PyPI)
In 2022 security groups found 116 malware packages.
In 2024 they inserted a Golang version of the Slyder C2 into a logo.
Bad Developer Practices
Some FOSS projects may be badly coded or reviewed.
Dependencies
FOSS projects may be linked to other FOSS projects that have any of the issues previously listed.
Namesake Packages / Masquerading
FOSS offers modification and redistribution to anyone, and that includes malicious agents, that take advantage of these easiness that does not usually exist on proprietary software.
Malicious agents may retrieve the source code program, create a copy and add malware to the original code.
Masquerading would be the act of mimicking an existing and popular project by creating another one with a confusing similar name and displaying the same images and metadata. The only difference with the original project and this one is that it contains malware.
Lack of Security Monitoring
Paid app marketplaces usually integrate verification processes to ensure that all uploaded software are malware-free. On the other hand, some public marketplaces that offer free software may lack this control, and malicious agents take advantage of this to perform masquerading and trojan horses attacks.