Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Apache Foundation Calls Out Open-Source Leechers

The Apache Software Foundation (ASF) is calling out for-profit companies leeching on open-source code, warning that “only a tiny percentage” of downstream vendors are contributing to securing the open-source ecosystem.

The Apache Software Foundation (ASF) is calling out for-profit companies leeching on open-source code, warning that “only a tiny percentage” of downstream vendors are contributing to securing the open-source ecosystem.

“[The] community is defined by those who show up and do the work. Companies that build open source into their products rarely participate in their continued maintenance,” the ASF said in a position paper published ahead of a high-level White House meeting on open-source software security. 

“Only a tiny percentage of downstream companies (reusing the same code within their own products) choose to participate [in maintaining the code],” the Foundation said, noting that any future directives must “avoid placing additional unfunded burdens on the few maintainers who are already doing the work.”

The foundation’s statement comes on the heels of the ongoing Apache Log4j incident where a remote code execution vulnerability in a little-known Java-based logging utility led to a global incident response crisis.

The ASF described the Log4j vulnerability as “an unfortunate combination of independently designed features within the Java platform” and argued that disabling antiquated and unnecessary default features would have prevented the issue.

[ READ: Google Finds 35,863 Java Packages Using Defective Log4j ]

“One of the most valuable things businesses that use open source can do is contribute back.  Help fix bugs. Conduct security audits and feed back the results.  Cash, while welcome and useful, isn’t sufficient.  We eagerly welcome audits and fixes from any source,” the Foundation said.

The ASF also used its position paper to criticize businesses for poor patch management practices that leave gaping holes exposed long after patches are released.

“Log4j and HeartBleed are being used as examples of open source vulnerability risks but it must be remembered that once these issues were reported to their respective projects they were dealt with quickly and efficiently.   What caused these, and other vulnerabilities, such as the Apache Struts issue in 2017, to be widely exploited was a failure of businesses to mitigate in a timely manner: either by updating to a new release or applying mitigations,” the ASF said.

[ READ: Exploits Swirling for Major Security Defect in Apache Log4j ]

“While part of the solution may be to ensure companies know what they’ve included in their supply chain, they will also need to have processes for rapidly handling and disclosing vulnerabilities in their dependencies. Users of open source software also need to keep track of lifecycles and ensure the projects they are using are still getting security updates,” it added.

“We can’t fix open source supply chain issues by focusing exclusively on the upstream producer,” the group warned, noting that even perfect software releases can take years to be adopted and deployed by downstream providers.

The ASF is considered one of the largest open source organizations in the world, managing hundreds of widely deployed projects that include Apache Hadoop, Apache Tomcat and Apache Cassandra.  

Related: Attackers Hitting VMWare Horizon Servers With Log4j Exploits

Related: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw

Related: Google Finds 35,863 Java Packages Using Defective Log4j

Related: Exploits Swirling for Major Security Defect in Apache Log4j

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.