There is a prevalent myth that open source software is inherently secure. However, this is not true. Open source software is susceptible to vulnerabilities just like any other software. Moreover, the fact that anyone can review the code does not guarantee that the right people will do so. Open source software faces two important threats than not everybody are aware of:
Vulnerabilities: Open source developers need to understand and communicate the security posture of their projects to users. They must adopt robust security practices. The Log4j incident in 2021, which led to the Log4Shell vulnerability, triggered a catastrophic wave of attacks due to inadequate support for the logging framework and its critical role in company procedures.
Dev teams infiltration: Criminal organizations and government hacking teams are executing highly sophisticated social engineering operations to infiltrate understaffed open source projects. Their goal is to compromise development teams and insert backdoors into the software. The most recent attack on a significant project was discovered in April 2024.
Objective of the Talk: Inform the community about these two security scenarios and demonstrate how to effectively address them.