Are you a programmer? Software developer? Someone who codes regularly? Or just from time to time? Then you no doubt take advantage of the plethora of software snippets, code excerpts, libraries and the like circulating on the Internet, on Github, Stack Overflow, SourceForge, or others. Nice, but there’s a risk: is the code safe? Bug-free? Maintained? And free of any malicious components?
A few months ago, we discussed the inherent risk and implications for CERN’s computer security of any use of external libraries (see our Bulletin article on “Fatal dependencies”). In the past, several public and open source libraries were found to contain malicious code for extracting credentials or misusing local computing power for crypto-currency mining or other evil deeds. So, all that glitters is not gold. External software libraries and external code snippets should be used with diligence and care. A variety of static code checkers can help you with this. Or consider using a centralised software repository manager like Sonatype Nexus or Apache Maven. But that is not the only risk.
What if the code you depend on is simply withdrawn from your source? In an interesting new twist, a software developer decided to pull all his code from Github after he learned that it was being used by a US agency whose work he did not appreciate at all. His software, “Chef Sugar”, is a Ruby library for simplifying work with “Chef”, a platform for configuration management. Removing the software from the public domain impacted negatively on several customers of that US agency using “Chef”*. And they might not be the only ones being affected…
Another example is the recent change of Oracle’s terms and conditions for the usage of Java JRE. While any support for Java as part of a commercial software package is still included in that package, updates and support for in-house development might need a paid subscription. Previously free usage has become restricted behind a paywall… While the OpenJDK toolkit (for Java version 11) provided and supported by RedHat until 2023 might still fit certain use cases, other software might run into nasty dependency issues…
So, what are the chances of something like this happening to you? Do you have a full copy of the software you rely on in source code format? Can you freely and independently compile it? Have you assessed the impact in case the original publication location goes bust? Share your experiences with us via Computer.Security@cern.ch.
*The full story can be found on Slashdot.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.