How do I protect my software supply chain against foreign influence from concerning countries?
This week there has been a bit of a stir in the open source community: a widely used library called easyjson has been under the microscope, not because of an active exploit, but because of the maintainers.
For context, easyjson is a Go library used for handling JSON. It’s a dependency in cloud-native environments, as it is a component of Kubernetes. Hunted Labs came out with some research this week that they had found this library to be almost wholly maintained by Russian contributors, and more specifically that this package was owned by mail.ru - which is part of a large Russian organization (VK Group) with heavy ties to the government.
This doesn’t mean easyjson is malicious. There is no evidence that it has ever been compromised. But there is potential risk - The risk being that the code is maintained by a suspicious group and could be changed at any time. The next time your application pulls the latest version down - It could be compromising your infrastructure and exfiltrating data.
So… Is This a Big Deal?
Well, yes and no.
Nothing has changed in the easyjson code that should cause panic. But the heretofore unknown influence of VK Group on this critical piece of open source infrastructure serves as an important reminder about the fragility of the software supply chain and the importance of understanding where your software comes from.
This situation echoes other high-profile supply chain incidents:
- XZ Utils: A trusted compression utility was intentionally backdoored after years of quiet contribution.
- Polyfill.io: Ownership changed hands and malicious code was inserted into a massively used JS shim.
- SolarWinds: An update to a popular enterprise monitoring tool included a backdoor—used to compromise U.S. federal agencies and more.
No one is suggesting we stop using open source. But we do need to treat it like the shared infrastructure it is—in need of both visibility and hygiene.
EasyJSON: ELI5
There is a widely-used, open source software library called “EasyJSON.” This library enables efficient use of JSON, and is present in millions of cloud deployments due to its prevalence in Kubernetes, along with other software.
The risk here, plainly stated, is that the code is maintained by a suspicious group in an OFAC country and that group could make changes to the code at any time. The next time your application pulls the latest version down, it could exfiltrate data and compromise your infrastructure. This risk was identified by our industry counterparts Hunted Labs last week, and their conclusion was the following:
The widespread use of easyjson makes finding a solution challenging. However, we cannot continue to blindly rely on this package due to the state of the current threats to our increasingly fragile software supply chain.
What Should You Do About It?
You obviously can’t just stop using software entirely. (Well, I suppose you could, but not if you want to stay in business much longer)
Software is like packaged food. It includes ingredients that you didn’t personally select, but which you rely on and trust implicitly to sustain you. And you rely on the producer of that good to articulate the ingredients so that you, the consumer, can make an informed decision.
The same applies to software components. What ingredients are you comfortable consuming? Which ingredients do you want to refuse? Maybe you want to avoid software components developed in certain countries, or scrutinize software with anonymous maintainers, or reject libraries that haven’t been updated in years.
The best thing you can do is maintain visibility and enact and enforce policies. Some of our most sophisticated customers utilize the Manifest OSS capability to inventory and monitor their open source contributors. Here’s what the top four EasyJSON contributors look like to them:
So the question becomes: “How do I protect my software supply chain against foreign influence from concerning countries?” There are a couple of options (forking and maintaining your own branches, monitoring versions for safety, never taking the latest update), but each of these is cumbersome, manual, and costly.
The alternative is utilizing Manifest to analyze and monitor open source contributors and their provenance. Our customers - including the Fortune 500 and various government agencies and departments - were proactively notified to their exposure to EasyJSON, and get automated alerts to problematic open source dependencies.
To learn more about how we can help you guard against the likes of EasyJSON, schedule a demo.
