Learn About Our CCSK X CCSP Training Week

Open Source Software Security – A Key Driver for Zero Trust Architecture?


The cybersecurity world is a funny place. As a whole, we lament the fact the internet was created with an “open by default” and if only it was created as “closed by default”, the world would be so much safer. Fast forward decades to the XZ Utils saga, and people are rushing to say the world is so much safer because the open source community model of self-governance works and catching the XZ Utils backdoor proves it. What tripe! Survivorship bias (the picture for this entry) comes to mind.


The Free Open Source Software (FOSS) model works based on TRUST. Sure, there is a degree of security there, but ultimately the whole system boils down to trust. We trust that “the community” reviews code for security issues and that with thousands of people assessing code for security issues (with zero incentive to do so) any security issues will be quickly discovered. On one hand, we are told the zero trust model is the way to run our systems and on the other, we’re told to openly trust open source software. Honestly, you can’t make this up.


The open source model is busted. I present to you the following common scenario:


– A single person starts a project with a buddy or two.


– The project becomes popular and is used by companies around the world.


– The developers get tired working on it and they wind up parting ways.


– One person stays behind to maintain the project.


– This person slowly comes to realize that nobody is going to give them a dime for their effort. Not that they expected to make it rich, but some form of compensation would be nice.


– As the project gains even more traction, this person is overwhelmed by demands by non-paying “customers”. They demand immediate answers, even at 3am.


– Person’s mental health suffers, experiences burnout and can’t keep up anymore.


– Person is now weak and is a target for manipulation.


This is exactly what happened with XZ Utils (here is a backgrounder). Unlike what some people say, this has happened before. I’ve seen it with my own eyes via a Twitter (“X”) thread. Everything was identical, down to the person saying he can’t work because he is mentally unfit to hold down a full-time job. In this scenario, it was for a radio broadcasting application. XZ Utils was embedded in major Linux distributions, so it obviously had a much larger install base. Again though, the scenario was identical. I highly doubt it has only played out twice in the history of FOSS.


So, back to the “security by community” fallacy. Simple question for you: If this was true, why did Fedora (sponsored by Red Hat and was only in Beta versions), Kali Linux (this is just so deliciously ironic) and a couple of other distributions include the malicious code as part of their updates? Was it because they trusted the developer? Again, there’s that pesky trust word.


Now, let’s talk about how this was discovered. ONE person (Andres Freund) noticed their SSH connections were taking 500 milliseconds longer than normal and started diving into the reason why. Do you really think this is common? Cybersecurity professionals are pointing to this as to how the system as it is works perfectly because it was caught before it caused major damage. REALLY?!? The project was infiltrated (for reasons discussed above), major distributions included it in their systems and distributed it to their userbase and ONE person who is obviously very technically talented happened to notice a sluggish SSH connection and dove in to learn more…AND THIS WORKS? The gentleman who discovered it said “really required a lot of coincidences” to discover it. In other words, it was BS luck.


Ok, so all this said, how do companies address this? How can you build a secure environment when all companies use what must be considered untrusted software? The concept of reviewing the codebase of all updates before implementing even in a development area is not something I imagine a lot of average companies are actually doing. This xz utils event just serves to bolster the need for implementation of Zero Trust architecture. How so? Don’t trust your users, your devices or your software. Come join us for our next Zero Trust certification course by the Cloud Security Alliance and learn all about what Zero Trust is and what it is not. Just be prepared – Zero Trust is a journey, not a tool you slap in and call it a day.


Posted under:

Graham Thompson is an Information Security professional with over 25 years of enterprise experience across engineering, architecture, assessment and training disciplines. He is the founder and CEO of Intrinsec Security, a leading training company that is solely focused on delivering leading authorized IT security training from partners such as the Cloud Security Alliance, ISC2, ISACA, EC-Council and CompTIA.

CCSK | CCSP: The Industry’s Leading Cloud Security Certifications - learn more

Upgrade your Skills. Secure your Potential.

Our experts provide hands-on and on-demand training that helps IT and data security professionals meet today's cyber security challenges and prepares you for a successful future.

Training Schedule Contact Us