Security Experts:

Apache Foundation Calls Out Open-Source Leechers

The Apache Software Foundation (ASF) is calling out for-profit companies leeching on open-source code, warning that “only a tiny percentage” of downstream vendors are contributing to securing the open-source ecosystem.

“[The] community is defined by those who show up and do the work. Companies that build open source into their products rarely participate in their continued maintenance,” the ASF said in a position paper published ahead of a high-level White House meeting on open-source software security. 

“Only a tiny percentage of downstream companies (reusing the same code within their own products) choose to participate [in maintaining the code],” the Foundation said, noting that any future directives must “avoid placing additional unfunded burdens on the few maintainers who are already doing the work.”

The foundation’s statement comes on the heels of the ongoing Apache Log4j incident where a remote code execution vulnerability in a little-known Java-based logging utility led to a global incident response crisis.

The ASF described the Log4j vulnerability as “an unfortunate combination of independently designed features within the Java platform” and argued that disabling antiquated and unnecessary default features would have prevented the issue.

[ READ: Google Finds 35,863 Java Packages Using Defective Log4j ]

“One of the most valuable things businesses that use open source can do is contribute back.  Help fix bugs. Conduct security audits and feed back the results.  Cash, while welcome and useful, isn't sufficient.  We eagerly welcome audits and fixes from any source,” the Foundation said.

The ASF also used its position paper to criticize businesses for poor patch management practices that leave gaping holes exposed long after patches are released.

“Log4j and HeartBleed are being used as examples of open source vulnerability risks but it must be remembered that once these issues were reported to their respective projects they were dealt with quickly and efficiently.   What caused these, and other vulnerabilities, such as the Apache Struts issue in 2017, to be widely exploited was a failure of businesses to mitigate in a timely manner: either by updating to a new release or applying mitigations,” the ASF said.

[ READ: Exploits Swirling for Major Security Defect in Apache Log4j ]

“While part of the solution may be to ensure companies know what they’ve included in their supply chain, they will also need to have processes for rapidly handling and disclosing vulnerabilities in their dependencies. Users of open source software also need to keep track of lifecycles and ensure the projects they are using are still getting security updates,” it added.

“We can't fix open source supply chain issues by focusing exclusively on the upstream producer,” the group warned, noting that even perfect software releases can take years to be adopted and deployed by downstream providers.

The ASF is considered one of the largest open source organizations in the world, managing hundreds of widely deployed projects that include Apache Hadoop, Apache Tomcat and Apache Cassandra.  

Related: Attackers Hitting VMWare Horizon Servers With Log4j Exploits

Related: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw

Related: Google Finds 35,863 Java Packages Using Defective Log4j

Related: Exploits Swirling for Major Security Defect in Apache Log4j

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.