Open-Source Software Libraries security & Threat Intel sharingStarted in December 2021
The goal of the project is to collaboratively tackle the issue of Open-Source Software Libraries (henceforth OSSL) security. The project intends to identify security risks in the source code of OSSL used in PCSI partners’ applications by combining the output of different source code tests (static analysis, software component analysis, and fuzz testing techniques).
The PCSI partners involved in the project will share knowledge of the testing techniques’ results, providing additional security attestation when using OSSL. Also, the PCSI partners in the project will analyze the identified risks and share Threat Intelligence (TI) amongst all other PCSI partners for further (security) policy development. Finally, PCSI core partners may decide to make results of analyses conducted within the project available upstream, thus sharing those back with the maintainers of OSSL where security risks will have been identified. Open-source communities may choose to use those results to fix and improve future versions of their OSSL.
The introduction of an array of software testing techniques which includes fuzzing tests in the software development lifecycle pipelines.
The focus on stand-alone library fuzzing instead of application fuzzing; this is innovative because fuzzing is a relatively new technique allowing for a more thorough testing of source code security, but which is not always easy to implement in CI/CD pipelines.
Collaboration in lowering the threshold for PCSI partners when it comes to acquiring new skills and knowledge.
Identifying vulnerabilities in commonly used OSSL collaboratively, whilst not hindering healthy competition in the market.
The solution the project aims to deliver will provide reliable TI on OSSL. This TI would include security risks associated with specific OSSL and prove relevant, actionable information on how to test configurations yielding efficient results when testing OSSL. The feedback loop towards the open-source software community would eventually lead to faster patching resulting in better long-term maintenance and security of OSSL.
Intended end result
At the end of the project, each PCSI partner will have a very good understanding of the risks of using OSSL and will have improved knowledge and skills about fuzzing. As a result, the exposure to security risks is reduced and the security quality of all the PCSI partners' software products in which OSSL is used has improved. While it is possible that no zero-day vulnerabilities will be found in OSSL while the project is running, the TI sharing platform that will be set up will be put into production at the PCSI partners. Using this platform, Threat Intelligence will be shared on which OSSLS are safe to use.
Picture source: www.vecteezy.com
This project is part of the trend