Protestware: what organisations should be aware of when using open source software

3 minute read  04.05.2022 Katherine Mroz, Susan Kantor

The recent inclusion of 'protestware' in popular open source software (OSS) codebases highlights some emerging risks to organisations that rely on OSS.


Key takeouts


  • There have been recent incidents of 'protestware' or malicious code being incorporated within open source software (OSS) codebases.
  • Organisations who rely on business critical software which contains OSS may be subject to security and business risks.
  • Organisations should implement policies and procedures to mitigate again risks associated with the use of OSS.

Open source software (OSS) is ubiquitous in commercial software. Both in-house and external developers use community-sourced code from public repositories such as GitHub to more efficiently build, test, launch and maintain software. This shortens release times and helps organisations gain competitive advantage.

While the OSS community generally functions as a gatekeeper for quality control, the sheer volume and widespread use of OSS means that there are still risks associated with its use.

On 8 March 2022, the maintainer of node-ipc, an OSS JavaScript library that is downloaded approximately a million times a week, released an update containing ‘protestware’. The release included obfuscated code that determined the approximate location of machines running the software. If the IP address was geocoded as Russian or Belarussian, the software traversed the user’s filesystem, overwriting any data encountered with heart symbols. The maintainer defended their additions to the module as a protest over Russia’s invasion of Ukraine.

The Director of Developer Advocacy at Developer Security Platform 'Snyk', which investigated and disclosed the incident, observed that it highlighted ‘a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security’. Not surprisingly, the implementation of the node-ipc protestware affected more than just its intended targets – subsequent reports claimed that a US NGO running a production server in Belarus was adversely affected.

This is but one example of recent OSS protestware and other OSS-related incidents. In January, the maintainer of two open-source libraries (with more than 3.5 billion total downloads combined) issued an update that caused applications to, amongst other things, repeatedly print the word 'Liberty'. The maintainer stated that this was in protest of larger corporations using his work for free.

And in December 2021, malicious code (referred to as 'Log4Shell') was discovery in Log4j – a ubiquitous OSS JavaScript library employed across numerous cloud-based services – which allowed hackers to remotely access and take control of affected systems.

These incidents highlight how organisations that are dependent on OSS for business critical software, or that contract with outsourced service providers who that OSS, or products or services that contain OSS, rely on the diligence and good faith of the open-source community. This has the potential of creating a supply chain risk for the organisation.

How can organisations mitigate these risks?

To mitigate these risks, organisations should consider giving effect to the following:

  • Establish corporate policies and standards for OSS use, enforceable through a documented and regularly audited process. These policies and standards should include avoiding the use of OSS developed by ‘rogue’ maintainers or switching to other OSS packages if such risks are identified. Google's Open Source Security Scorecard, which aims to automate analyses of OSS by reference to the United States Open Source Vulnerability database, is a useful resource.
  • Centrally monitor and maintain a database of OSS used within the organisation (and its key suppliers), including matching OSS to individual projects; documenting each OSS' licensing model; documenting OSS updates; and assigning responsibility for consistent monitoring of updates to specific personnel
  • Check updates before installation. Avoid automatic software updates, instead ensure that all updates are carefully vetted (for example, by the OSS community and security firm assessments) prior to installation
  • Formalise relationships with maintainers of business-critical OSS. If practicable, consider establishing direct commercial relationships with maintainers of business-critical OSS, which provide for ongoing support and include warranties against the inclusion of harmful code
  • Incorporate robust OSS-related provisions in contracts with key suppliers, which provide that the organisation must consent to the use of any OSS in software (including software-as-a-service products) provided to the organisation, and potentially also imposing obligations on suppliers that give effect to the matters raised above.

Contact our team for further advice on how to manage the risk.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI2OTBmYmQ0Ny1iYjI3LTRjOGYtODVjNS1kMjExMzk4NzQ2OWEiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczMTQ2MzY3MywiZXhwIjoxNzMxNDY0ODczLCJpYXQiOjE3MzE0NjM2NzMsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL3Byb3Rlc3R3YXJlLXdoYXQtb3JnYW5pc2F0aW9ucy1zaG91bGQtYmUtYXdhcmUtb2Ytd2hlbi11c2luZy1vcGVuLXNvdXJjZS1zb2Z0d2FyZSIsImF1ZCI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL3Byb3Rlc3R3YXJlLXdoYXQtb3JnYW5pc2F0aW9ucy1zaG91bGQtYmUtYXdhcmUtb2Ytd2hlbi11c2luZy1vcGVuLXNvdXJjZS1zb2Z0d2FyZSJ9.5AiBoMd5a46yzH_BJb4a-NbTqvHNBuBGKv5fas0gkeU
https://www.minterellison.com/articles/protestware-what-organisations-should-be-aware-of-when-using-open-source-software

Point of View: insights into key issues and challenges facing business today.

In this series of interviews with MinterEllison partners we hear their perspective on key areas of interest to our clients and the business community.