Securing Our Dependence on Code Reuse in Software

Posted by Divyank Katira at Apr 13, 2023 12:00 AM |
Filed under:
Dividing and breaking up a software project into smaller modules with functionality that can be reused to build other software is an increasingly common practice in software development today. We examine our infrastructural dependence on reuse of open-source software (OSS) components, examine the unique security risks posed by the widespread reuse of code, and survey systemic solutions to securing code reuse.

Dividing and breaking up a software project into smaller modules with functionality that can be reused to build other software is an increasingly common practice in software development today. Much of this reuse happens in the form of open-source software (OSS) packages, i.e. software whose source code is openly available on the internet with a permissive licence which allows for its reuse and modification. A study that analysed the composition of over 2400 commercial software applications from seventeen industries found that, on average, 78% of the code used to build them was open-source software – indicating that code reuse is not merely supplemental, but foundational to software development processes today. Relying on domain experts to build and maintain the functionality that is ancillary to a software application’s primary purpose saves effort and allows application developers to focus on their own work domains. For instance, a developer building a video conferencing application – such as Zoom – may reuse an open-source library called ffmpeg to encode and decode video streams, or another open-source component, OpenSSL, to encrypt and decrypt the encoded streams as they are transmitted over the internet, rather than reimplementing this functionality from scratch.

Despite the well-known practical benefits of code reuse and its prevalence in all of the digital products and services our society relies on, several security incidents in widely used OSS projects have shown that such projects are often underfunded and under-maintained. The ‘Heartbleed’ vulnerability most clearly illustrates this. In 2014, a security vulnerability in the OpenSSL software library – which is widely used to encrypt web traffic – affected about one-fifth of the servers on the internet. Malicious actors could have exploited this vulnerability to decrypt all of the data that these servers handled and even impersonated them.

In this report, we examine our infrastructural dependence on reuse of OSS components and develop an understanding of the security risks posed by the widespread reuse of code that is developed and maintained by untrusted individuals and organisations that have no obligation to provide these services or any subsequent support.

We present an analysis of common security issues in OSS packages, with a focus on the unique security issues that arise in the tooling and processes used to store, distribute and operate reused code. Finally, we survey solutions and frameworks which seek to address some of these issues on a systemic level.

This report is primarily aimed at regulators, technical decision-makers and organisations invested in furthering research in this area. It can also serve as a starting point for software developers who want to learn about the common security pitfalls of using OSS components and how they can avoid them.


Click to download the full report

Filed under: