Unfortunately, there is not much the package maintainers can do here. Hijack cloud computing resources for crypto-mining ( PyPI attacks in 2021).Siphon environment variables for further lateral movement (crossenv attack).Once the malicious packages are installed and executed in runtime, attackers can: With more than 2.5 million monthly downloads shared between conda and pip and ~150 million requests for BokehJS resources at every year, the bokeh library looks like it is ripe for the picking, at least from an attacker's perspective. Packages hosted on the npm and PyPI registries have been notable targets, reminding us that developers too can fall prey to a different breed of phishing. This attack implies bad actors pushing malicious packages with similar names to the original one to a trusted registry and crossing fingers for users to fall for their dirty trick. Together, we discussed some of the threats keeping open-source maintainers up at night: Typosquatting Now comes the difficult part, ensuring Bokeh is open-source code on which individual developers and enterprise teams alike can safely build. Bryan believes this has a lot to do with the project's early days, where patience, responsiveness, and receptiveness to the contributions from a community in its embryonic stages play a determining role in later successes. With 37,000+ public GitHub repositories declaring its use and 2.5 million monthly downloads, Bokeh has made a name for itself. Why is security important for open-source projects like Bokeh? Inspired by his previous contribution to Chaco (Python data visualization library) and the rise of JavaScript-heavy frameworks for frontend in the early 2010s, Bryan teamed up with Peter Wang to offer an alternative for Python developers, who were working on interactive data applications for the modern browser. He authored the conda package manager and worked full-time at Anaconda on its distribution, simplifying package management and deployment for more than 25 million users worldwide. Standalone examples of data plots made with the Bokeh libraryīefore starting his endeavor with Bokeh in 2012, Bryan was no stranger to open-source libraries. Bokeh can help anyone who would like to quickly and easily make interactive plots, dashboards, and data applications. It provides elegant and concise construction of plots while maintaining high-performance interactivity over large datasets. Bokeh, the interactive visualization library for the modern browserīokeh (pronounced /ˈboʊkeɪ/ BOH-kay) is an interactive visualization library for modern web browsers, written in Python. The goal of attackers is straightforward: introduce vulnerabilities downstream, and in turn, attack the software supply chains that depend on the same open-source packages and libraries. Bryan gave us an insider look at how open-source maintainers such as himself shield their projects against the attempts of malicious actors trying to exploit security gaps. We had the pleasure to exchange a few words with Bryan Van de Ven, co-creator and core maintainer of the Bokeh project, a Python library for data visualization. This time, we decided to go on the other side of the fence. Most discussions we are hearing today around security in this space are focused on the identification, fixing, and remediation of vulnerabilities - all seen from the “consumer” perspective. Its prevalence in commercial software is reaching unprecedented levels, to the extent that the European Commission has recently identified it as a public good, in a recent study assessing its impact on the region’s economy.īut the interstitial nature of open-source in modern software also makes it a subject of security and compliance concerns, as it is capable of exposing organizations that use it to a host of unknown risks and vulnerabilities. Open-source is everywhere, it is one of the driving forces of software innovation from the academic to the enterprise world (75% of codebases audited by Synopsys in the 2021 OSSRA report rely on open-source components).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |