A majority of software developers include open source software packages in their development cycle, and often trust the integrity of such packages implicitly. However, open source software frequently contains serious vulnerabilities and intentionally hidden threats – which can leave the products using these packages compromised and vulnerable to manipulation, including the dreaded supply chain attacks.
As the number and severity of cyberthreats continues to rise, the classic DevOps methodology of software development began to shift towards a more security-conscious approach, a.k.a. DevSecOps, which advocates putting into effect security practices from the initial planning and design stages through development to testing and beyond. Obviously, this mindset needs to apply to any open source software used in the development cycle as well.
Kaspersky has designed a valuable data feed to help apply this security-first approach to open source software – Kaspersky Open Source Software Threats Data Feed. It is a binary-less, text-only data set, which reveals the threats and vulnerabilities in the millions of open source packages known to Kaspersky.
The following threat types are covered by this Data Feed:
- Packages with vulnerabilities
- Packages with malicious code
- Packages that contain riskware such as crypto-miners, hacktools, etc.
- Compromised packages that contain political slogans, or that alter their functionality in specific regions
The feed provides information about packages from the following repositories*, which are scanned on a regular basis:
All packages from all repositories are automatically matched against the following vulnerability advisories:
- GitHub Security Advisory
- CVE MITRE
- Debian Security Advisory
- CentOS Security Alerts
- RedHat Security Advisory (only cross-links to this advisory are provided).
Along with the list of packages, the following useful context is also provided:
- For vulnerabilities:
- Connection to the ecosystem
- System impact
- List of vulnerable versions
- Vulnerable versions CPE for automation
- Lists of recommended versions with patched vulnerabilities
- OS versions support (for *nix packages)
- Cross-links to vulnerability advisories
- Hashes of exploits currently used in the wild
- For malicious and compromised packages:
- Connection to the ecosystem
- System impact:malware, hacktool, other
- Compromised package versions
- Hashes of compromised package versions
- CWE (Common Weakness Enumeration): for the moment, only for malware packages
The recommended use case for Open Source Software Threats Data Feed is as follows: match the packages from the feed against the packages used in development based on one or several parameters such as package name, package version, etc.
The feed is delivered in JSON format.
NB: Matching has to be performed by the Customer’s tools, as Kaspersky only provides a text-based feed. This makes this and all other Kaspersky data feeds 100% guaranteed safe to use by any companies and entities, even those from countries that might be otherwise reluctant to adopt Kaspersky products.
If you wish to know more, please click the CONTACT US button below and indicate that you require more information about Kaspersky Open Source Software Threats Data Feed, and our representative will get in touch with you shortly.