Season 5, EP 5

The State of Open Source Software Security

In this episode, host Paul Roberts chats with Mikaël Barbero, Head of Security at the Eclipse Foundation, about the state of open source software security.

EPISODE TRANSCRIPT

PAUL ROBERTS
Hey everybody. And welcome back to another episode of ConversingLabs. I'm your host, Paul Roberts. I'm the Cyber Content Lead here at ReversingLabs. And we have another amazing episode to bring you today. With us in the ConversingLabs studio is Mikaël Barbero, who is the Head of Security at the Eclipse Foundation.
Mikaël, welcome to ConversingLabs podcast.

MIKAËL BARBERO
Thank you, Paul, and thank you for having me with you today at ReversingLabs.

PAUL ROBERTS
Yeah, it's really great to have you and you are a person we're very excited to talk to because obviously one of the things that we're focused a lot on here at ReversingLabs is security of the software supply chain, security of open source ecosystems and that's a lot of what you focus on at Eclipse Foundation.
Before we get into Eclipse and the work you're doing there, could you just give our audience a little, rundown on your own origin story and how you came to work for Eclipse.

MIKAËL BARBERO
Of course. So I've been with Eclipse for eight years now. I started as a release engineer at the foundation, helping our project, building their pipeline, deploying the infrastructure for projects to have a CI/CD.
And eight to 10 years ago, it was not common for open source project to have a free, available CI/CD systems. Travis CI was not there yet, so if you remember, so we were offering that to our projects. So that's how I got into the supply chain security issues. Of course, how I got to know what are the pain points for projects and what led me to my position today as a Head of Security at the foundation.
My interest in security, it started right from when I was doing my studies at university. I read this great paper from Ken Thompson, questioning the reflection on trusting trust. And it was really an amazing paper that always kept somewhere in my mind.

PAUL ROBERTS
And for our viewers who might not know about the Eclipse Foundation or maybe have heard of it, but don't know exactly what it does, could you just give us the short version of what Eclipse Foundation is all about?

MIKAËL BARBERO
Sure. So we are an open source software foundation. So we are basically the host and the steward of many projects. Currently we have more than 425 projects at the foundation. It all started with the Eclipse ID, hence our name.
The famous Java ID, but not only Java nowadays integrated development environment for software developers. But we are now the home and the steward of many other projects. So still a lot centered around Java. So for instance, we are the host of Jakarta EE. The new Java EE enterprise edition that moved to the foundation.
We are also the steward of the adoptium working group and it's open JDK distribution Eclipse Temurin, so a free open source and secure open JDK distribution. And we are also the host of many IOT projects. So really not related to Java, for instance, we are the host of Eclipse mosquito project which is an MQTT broker.
Very famous and widely used in the IOT world. And we also, for instance, the host of a new initiative called the Eclipse Software Defined Vehicle. The, so that's where all many of the software vendors and the OEM of the automotive industry are joining to build the software stack for the car of tomorrow.

PAUL ROBERTS
Yeah, the population of devices that are running open source software has exploded in the last 20 years, right? So you talk about, yeah, automotive is a huge area of development and evolution of this. Talk just a little bit... so if you could, explain, in the last, 20 or 30 years, open source use has really grown and exploded. Can you give us a sense of like the security conversation around open source? Security has been a topic of debate and interest in the context of open source software. Back in the 90s it was all, is open source less secure than proprietary software, right? With many eyes, all bugs are shallow.
That type of conversation. Certainly Microsoft had a whole line of argument about, the fact that their proprietary software was more secure. But how have you seen the security conversation around open source evolve in the last couple of decades?

MIKAËL BARBERO
So to me, this conversation about whether open source is more secure than proprietary software, I think it was more marketing against open source than it was.

PAUL ROBERTS
Yeah, clearly.

MIKAËL BARBERO
There was no real facts behind that. And we've seen that from the many numerous vulnerabilities that have been discovered over the years. Back to an issue with OpenSSL, a hub leader, or even Log4j recently. The responsiveness of the community and of the developers is really amazing.
And much more transparent that, no very, very transparent. So it equals the best in the industry in proprietary software. So definitely not an argument to say that the open source communities and developers could lead to lesser security. The way I see how it evolved mostly in the last two decades is that open source has won.
So it's everywhere. It's ubiquitous. Yeah, that's great. But of course, with great power comes great responsibility and, what the threat actors were before looking for the vulnerabilities, zero days in open source, that was one of the thing that you could be worried about that, yeah, zero days is covered by a threat actor and you don't know about... no.
What we see is that open source is so ubiquitous that they are not looking for zero days anymore, but they are trying to put zero days by themselves. So that's where they are taking the supply chain of the open source software in order to be to include malicious code, backdoors and worms or Trojan or whatever, in order to amplify their attacks.

PAUL ROBERTS
And we've seen that, here at ReversingLabs, we've uncovered a number of campaigns, some of them, Python Package Index, NPM, RubyGems, in recent years. These are obviously often designed to fool developers into incorporating malicious packages into their projects, often designed to look like legitimate packages.
So there's often just a social engineering aspect of it. Could you, from the perspective of Eclipse Foundation, how do you see the risks right now within the open source ecosystem? Is this sort of background noise, low level of risk? Is it something that you see becoming a real issue around, reliability for open source ecosystems and developers who are working with these platforms? What's your sense?

MIKAËL BARBERO
So my sense is that it's growing and it's definitely getting more critical for projects to understand, for developers to understand those issues. The thing is that the tooling that is available to open source developers today have exploded. It's amazing what you can do now with cloud based infrastructure that are provided for free for open source and you can do amazing thing and you can release multiple time of days, that is unseen for the last decade, but with all those tools, all those tags that are brought into the supply chain of the open source software, open source developers there is a very often a misunderstanding of all the risk that is behind this very complex supply chain that you add to already complex software.

PAUL ROBERTS
It's really true. And I think, education about these risks and how these attacks play out. Often when you dig into these attacks, they're mostly social engineering attacks, right? It's mostly around fooling developers into, grabbing a malicious package.
Sometimes it's more complex than that. We've seen, more complex attacks. Do you really see, is this something that Eclipse Foundation sees as a priority of educating the developer community about the risk? Or is it from your perspective, this is really on the platform providers to, start looking for these types of attacks and weeding them out?
What's the proper approach to reduce the impact of these attacks?

MIKAËL BARBERO
Of course, our hope is that the platforms will eventually reduce the the attack surface for those things. But of course, the... We see our approach to helping our projects to improve their security posture in two ways.
Of course, education, trainings best practices. Let's not hide ourselves behind the best will to improve the trainings and the skill sets. Most of the time developers, they don't have the time or the will to actually improve their security skill sets or to take trainings and so on. They want to deliver and they need to deliver new features to their users.
So our approach is really in terms of empowerment. So whatever initiative we take we try to always focus: okay, how do we make the life of a project easier? Why giving them more security and the security mindset should come from this empowerment. And not from enforcing any new processes or new regulations that are coming also, or forced training to cultivate this mindset of security.

PAUL ROBERTS
It's interesting because, here in the U.S. we just saw the Office of the National Cyber Director part of the Biden administration, actually putting out a public, request for information on open source security. I know that there are similar efforts a foot in the EU as well on this and some new ostensibly some new regulations that might impact open source maintainers and projects like the EU Cyber Resilience Act. So I guess high level, right? Governments are starting to take an interest in open source security and the security of open source ecosystems. That's good in a way because it is an issue, but not good if it becomes, overly regulated.
From the Eclipse Foundation standpoint, or just maybe your standpoint personally, what's your thought on these efforts, in both the U.S., E.U. to start having government regulators more attuned to these issues around open source security? And what would be in your mind the best approach for governments to take?

MIKAËL BARBERO
So first of all, as you said, the fact that the governments and the regulators actually noticed that open source is critical is something good and may help with the sustainability issue that we've been having for many years. After that Eclipse is a not for profit organization, based in Brussels, based in Europe, but we are a global organization, right? Where we have members, organizations both in the U.S., E.U. and Asia as well. So we are looking at all those regulation as a global organization. Regarding those two approaches, because they are quite different between the E.U. And the U.S., we are pretty happy with the approach of the U.S.. The Cybersecurity Strategy that have been that has been published a couple of months ago is really...

PAUL ROBERTS
National Cybersecurity Strategy.

MIKAËL BARBERO
Yeah, exactly. It's really recognizes that open source is critical and must be kept on the side on any regulation. You should not put the burden of any additional regulation on the open source software developers.
And the same for this RFI from the National Cyber Director for feedback from the industry, but also not for profit organizations and being open about gathering interest and feedbacks, it's really a good approach.
We are very supportive of that. We are actually preparing also an answer to that. Focusing on what we think is important. Empowerment, create a mindset of security or culture around cybersecurity for the developers and so on. On the other side of the pond in Europe, the CRA, which is what is our main interest these days or what we are looking after the most.
So the Cyber Resilience Act, it is still under discussion and why we are very supportive of the initiative to improve cybersecurity for the citizens and the industry. The software industry has been a non regulated industry for... ever. And we see that it will become a regulated industry.
The thing is moving from a non regulated industry to a free regulated industry without doing harm to this industry can be very hard. And our thinking is that the Cyber Resilience Act has some missteps along the way, especially around open source. They try to cut out open source in the text initially from the commission.
They were saying that any open source that is done outside of commercial activity should not be regulated by the Cyber Resilience Act. Unfortunately, the commercial activity wording is very specific and has a very clear definition in the E.U. Regulations. There is a text called the blue guide with those definition that they, the commission have to reuse that's part of the harmonization of the laws across Europe.
And it says that basically anybody is under a commercial activity. So an open source foundation is doing a commercial activity because that members and...

PAUL ROBERTS
Basically, if you collect money, you're doing commercial activity.

MIKAËL BARBERO
Yeah, exactly. You are the manufacturer or the the distributor of the open source.
So you have the liability and the responsibility of any of applying or complying with the Cyber Resilience Act. So the initial text would exclude only the hobbyists and the charities, but basically everybody else, industries, software developers employed by a company and developing the open source software.
For why being employed would be covered and not for profit organization like open source foundation, open source of foundation. would be covered and would have the responsibility of complying with the Cyber Resilience Act. And, of course, it could really harm the whole industry. The natural reaction for that is that, okay, as a company, should I continue to tell my developers to contribute to open source if I only get responsibility from that?
It took 15 years for the industry to understand that contributing to open source is actually low risk, the legal uncertainty was pretty low, even though it started with all the licenses, threats that it could be a threat for the industry, but it has been understood that it's not anymore, but this whole CRA thing could definitely lead to some more questions about contributing to open source or even consuming open source.

PAUL ROBERTS
Is there a compromise or a resolution for that tension? Because you raise a really good point, which is a lot of the contributions, a lot of the development in open source is sponsored indirectly by, corporations or nonprofit organizations that are using it and also contributing back to the community.
That's one of the whole ideas behind the open source movement. And you don't want to discourage that by, heaping liability on them. On the other hand, you need more accountability in the software industry in general to start dealing with some of the bad practices that we see all around us.
So what is the compromise in your mind between that? Encourage private sector contributions to the open source community, but don't... Turn a blind eye to, poor quality contributions, buggy insecure code, that type of thing.

MIKAËL BARBERO
So we are very supportive of the initiative of the world again, and that's why we at the foundation now have the security team that I'm leading now. 18 months ago, there was zero staff dedicated for helping our project to improve cybersecurity. So we are now a team of five. And so we are supportive and we want to move the needle to better security. The way we see the, how the CRA could be improved is to move the responsibility to the commercial entities. Eventually monetize the open source component projects. So put some products on the market and monetize those products. So we don't want to carve out for the open source because that doesn't make sense. But the responsibility and the liability should be put on the people actually.

PAUL ROBERTS
So if you're a multi billion dollar corporation, you're using, you're contributing to this open source project because you're using that code in your own project, in your own products, then, okay then you're part of the liability regime. But if you're a not for profit group that is doing this, not generating any revenue from your contributions, then you should be exempted.

MIKAËL BARBERO
That's what we try to advocate for. We are in touch with people in Brussels and the various commissions and committees that are involved into those things to try to help them understand why we think it's important.

PAUL ROBERTS
In the meantime, you raised these issues the powers that be, the folks considering this more or less ignored that and gave, I think, tacit approval to this Cyber Resilience Act. Where does it stand now legally? Is it law? Is it just moving along? And is there another opportunity to address these concerns before it becomes the official regulation, or where are we?

MIKAËL BARBERO
Agencies in Europe or regulation in Europe is quite complicated. So the commission initially proposed the law and it has been discussed in the parliament. So we've elected member of the parliament elected by the people in Europe by the various countries and by the conceal that is composed from representative of each member states and they come to each to a set of amendments at the beginning of the summer and now they need to group all together. So the commission, the parliament, and the council in what they call a trialogue in order to get to a final text.
So we are at this stage now. So it's pretty late in the game, but we are already seeing some the version from the council is pretty good to open source. They made some amendments that are really what we are advocating for. And we've heard that they are continuing to discuss these days to bring those versions together.
So we still don't know exactly how it will end up as a final text but something that is pretty sure that we will have the law being passed by the end of, by the next summer because in May, next year, there will be new elections in Europe. Of course, they want to complete the law before the next elections. Otherwise, you would have to come back.

PAUL ROBERTS
What do you think the practical impact would be? Let's just say the Cyber Resilience Act just goes forward as it's been written. No changes. What do you think the practical impact would be on the open source community, on the Eclipse community and the activity that goes on now?

MIKAËL BARBERO
So if it passes as is with the responsibility and liability being put on the Eclipse foundation, we would have to stop releasing many software for a while and find out how to comply without risk with the regulation for sure. But the, so that, that would be of course an issue for us.
But the more generally for the industry and for the open source in Europe, that would be even more problematic. We can already hear some voices especially from the U.S. that say that maybe if they have to take responsibility by providing open source software that could be downloaded from Europe, they will just geofence Europe from downloading their software so that they have no responsibility. So imagine Europe without access to Kubernetes or Linux.

PAUL ROBERTS
And this really is the, this is the software that really under, that supports so much of the technology that we use both cloud, on our devices, you name it. The flip side of this, which is, regulations that may discourage private companies or for profit organizations from contributing to open source, is the flip side of that is that there is a very long tail in the open source community of hobbyists and individuals who have created and maintained open source libraries and packages that are very widely used, by for profit entities and so on. That has a security impact merely in the sort of resource sense, which is these are very widely used, but often they're maintained by a solo developer or a small group of developers they don't have, volunteering their time, really, and security often falls down on the list of priorities for them. Or they're just not able to really keep on top of security. What do you think is the solution for that problem? Both for the open source community generally, and also for companies that are using open source and relying on open source software.

MIKAËL BARBERO
So it's not really a new issue, even without the security problem just keeping the, those open source project running has always been a sustainability issue for open source. So just that now we had the financial impact of an issue is even bigger. So we don't have any magical solution to apply, but we've seen a couple of initiatives that we really like, and that we really would like to encourage all governments to replicate.
And one of them, for instance, is the Sovereign Tech Fund. So it's a German initiative. Where basically the German government created a pool of money to identify what are the software that are critical to Germany and European ecosystem, all systems that are based on open source software. And the very good thing about that, because usually when governments put funds to help open source they usually want for those funds to be given to German companies or German developers or their own national thing. And with this initiative they don't actually care about who gets the money at the end. They care about how dependent- the German government, the German industry and the European industry is dependent on the open source software that is being funded. And we think that it's a pretty good initiative that should be replicated across Europe and also in the U.S.

PAUL ROBERTS
This notion of a sovereign fund, that we should just reproduce that across other... Economies, basically.

MIKAËL BARBERO
Yeah, exactly. To help open source projects to address the security issues.

PAUL ROBERTS
For, if you were to speak to development organizations or developers who are looking to defend themselves against open source risks or threats get themselves oriented around this. As we've seen growing problem, what would your advice to them be?

MIKAËL BARBERO
Don't try to do this alone. There are plenty of frameworks available, or even vendors that that can help you. But most specifically around frameworks, because it really helps developer company projects to to structure how to define their threat model and to how to address it.
We really promote at the foundation the SSDF, the Secure Software Development Framework, but also "salsa," the SLSA framework, that is also at the OpenSSF, the Open Secure Software Foundation. We like SLSA better for developers because it's very more pragmatic.
It's more technical and closer to what the developers have to handle on a daily basis. SSDF is closer to what you would need to do for procurement, but those frameworks are really able to structure how to address the cybersecurity risk. But even without those frameworks or those structures, one thing that when we start to talk about cybersecurity risk and the supply chain, the risk in the software supply chain is about checking the providence of everything you're consuming. That's very basic, but you need to understand and know what you consume and what you deliver.

PAUL ROBERTS
So software bill materials that type of approach?

MIKAËL BARBERO
Exactly. Software bill of materials is one way to identify what you're consuming but it's- I would say that it's mostly for your downstream users that it's useful. So you need to deliver it as part of what you supply. But by provenance I think it more in the way the SLSA framework actually defined it. So it's really about, okay, you get to binary, but where does it come from? How has it been built? Where is the source? From what sources has it been built?
And having an attestation, something that is non falsifiable, that is signed and verifiable, that's very important. And moving towards a model where the package repositories, package registries include those provenance information, will really help us harden the whole supply chain of open source software.

PAUL ROBERTS
And Mikaël, final question. If viewers are listening to this conversation, want to learn more about Eclipse and get involved with Eclipse Foundation what can they do? Where should they go?

MIKAËL BARBERO
So of course you can go to the eclipse.org website where you can see all of our projects and our working groups, where our members are organized to drive some of our projects.
And we are also in the process of creating an initiative around cybersecurity called the Eclipse Cyber Risk Initiative. So we are gathering interest into participating in that to help us sustain our efforts into improving the security posture of our projects. But also help us prioritize what are the next steps that we should be taking to help our members and help our projects to improve their posture.

PAUL ROBERTS
Mikaël Barbero of Eclipse Foundation. Thank you so much for coming on and speaking to us on ConversingLabs podcast. It's been great having you.

MIKAËL BARBERO
Thank you, Paul. It was great to talk with you.

Paul Roberts

About Author: Paul Roberts

Content Lead at ReversingLabs. Paul is a reporter, editor and industry analyst with 20 years’ experience covering the cybersecurity space. He is the founder and editor in chief at The Security Ledger, a cybersecurity news website. His writing about cyber security has appeared in publications including Forbes, The Christian Science Monitor, MIT Technology Review, The Economist Intelligence Unit, CIO Magazine, ZDNet and Fortune Small Business. He has appeared on NPR’s Marketplace Tech Report, KPCC AirTalk, Fox News Tech Take, Al Jazeera and The Oprah Show.

Related episodes

Subscribe

Sign up now to receive the latest weekly
news from ReveringLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company.

REQUEST A DEMO