Venafi: Four Ways Open Source Libraries Leave Organizations at Risk

SALT LAKE CITY--()--Organizations are becoming increasingly dependent on open source libraries (OSLs) to develop code for software and websites. However, Jing Xie, senior threat intelligence researcher for machine identity protection leader Venafi, warns that the growing reliance on OSLs for software development leaves many companies vulnerable to trust-based attacks.

Cybercriminals use trust attacks to maliciously manipulate and insert code into open source libraries, taking advantage of organizations’ dependence on them. Unsuspecting developers and site managers actively introduce malware into their own software and websites when they use a compromised OSL. When the infected code is distributed by a legitimate developer, the resulting malicious software will be automatically trusted by its users’ computers, infecting their computers and networks.

Since trust-based attacks can infect millions of computers very quickly, it is critical that organizations increase their awareness about the risks associated with OSL security. According to Xie, there are four ways OSLs create risks for organizations:

  • Undetectable malware: The implicit trust afforded to OSLs – which are often not moderated – means site managers and developers pick up infected libraries and use them, without realizing malware has been added.
  • Infected supply chains: The prolific use of OSLs across enterprises means that if one piece of code is infected, a ripple effect can carry the infected code across multiple businesses. Once an infected library is in use, it’s likely the entire software development supply chain will be impacted by the attack.
  • Legitimate-looking code: In addition to inserting malicious code into genuine OSLs, threat actors often create and run their own rogue OSLs. Given the large number of OSLs organizations use daily, it can be difficult to distinguish those that are rogue from their legitimate counterparts, and developers can be duped into using them.
  • Massive data leaks: Cybercriminals can leverage malware inserted into an OSL after it has been incorporated into applications and websites to create backdoors. Since the backdoors have been created by trusted OSLs they are nearly undetectable, allowing attackers to steal data, spy on users and disguise a wide range of illicit activity.

“This is a very real problem, and recent research from Sonatype revealed a 55 percent increase in breaches resulting from OSL trust attacks in 2018,” said Xie. “It’s unrealistic, though, to ask businesses to completely change their practices by limiting the use of OSLs. Instead, the industry needs to work together to make open source code more dependable.”

Venafi recommends that developers and consumers utilize code-signing certificates to help determine which OSLs can be trusted – this is a practical approach to validating the authenticity of an OSL. “In addition, we encourage organizations to track internal OSL code, recording library releases and any problems,” Xie concluded. “These steps make it possible for OSL users to quickly identify issues, simplifying the remediation process and helping the OSL community build consensus on which OSLs are most trustworthy.”

Additional Resources:

Blog: Is Your Software Supply Chain Vulnerable to OSSL Trust Attacks?
Blog: Code Signing Certificates: A Dark Web Best Seller
Blog: Crypto Mining, Code Signing Compromise: Are Your Certificates Safe?

About Venafi

Venafi is the cybersecurity market leader in machine identity protection, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise – on premises, mobile, virtual, cloud and IoT – at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With over 30 patents, Venafi delivers innovative solutions for the world's most demanding, security-conscious Global 5000 organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; four of the top five U.S., U.K., Australian and South African banks; and four of the top five U.S. retailers. Venafi is backed by top-tier investors, including TCV, Foundation Capital, Intel Capital, QuestMark Partners, Mercato Partners and NextEquity.

For more information, visit:


Shelley Boose

Release Summary

Venafi warns that the growing reliance on OSLs for software development leaves many companies vulnerable to trust-based attacks


Shelley Boose