Dive Brief:
- The Open Source Security Foundation launched a threat-sharing platform Monday designed to provide an early warning system against actively exploited vulnerabilities and other threats that could impact the open source software supply chain.
- The platform, called the OpenSSF Siren, will allow developers, maintainers and open source security experts to share indicators of compromise and tactics, techniques and procedures used in recent attacks.
- The launch comes weeks after the discovery of a multiyear campaign to take over XZ Utils and the disclosure of a similar social engineering attack disclosed by the OpenJS Foundation.
Dive Insight:
The launch of OpenSSF Siren marks the latest in a multiyear effort to strengthen the security of the open source community.
The open source community is vulnerable to exploitation thanks to a lack of funding, excessive burnout and other inequities that make it difficult to detect and mitigate malicious activity. The lack of financial support and staffing available to open source maintainers have made security response an ongoing challenge.
“Data around threats and exploits has always been a gap due to the highly distributed, global nature of open source software development and the lack of a centralized Information Sharing and Analysis Center-like body to assist in sharing this post disclosure information,” said Christopher Robinson, OpenSSF Technical Advisory Council chair, via email.
Concerns rapidly escalated in late March, when Red Hat disclosed an incident where malicious code was found in recent versions of XZ Utils. A group of suspected hackers installed a malicious backdoor that was discovered accidentally by a Microsoft engineer.
Following the XZ Utils incident disclosure, officials at the OpenJS Foundation uncovered a separate attempt to take over a popular JavaScript project.