The Foundation We All Stand On
The next frontier of warfare isn’t just kinetic, it’s code. Our adversaries don’t need bombs to destabilize us. They need bugs. Exploits. Manipulated commits. In an era of digital-first infrastructure, bits are bullets. And we are exposed.
Every government system, hospital, energy grid, airplane, and missile defense platform relies on software, most of which is built using open source software (OSS). It is the invisible scaffolding for modern civilization, silently running in the background, connecting our power plants, controlling our satellites, and enabling our global economy to move at digital speed. Open source software touches almost everything in our daily lives.
Yet, despite its centrality, open source remains dangerously underprotected and undersupported. Despite billions of dollars in revenue generated from commercial enterprises that use open-source code, maintainers are often underfunded. The people who create the code are unvetted. Risk responsibility is unaccounted for.
Foreign adversaries are already targeting open source ecosystems, not just for preparing a target environment, but also for sabotage. Masquerading as contributors and even maintainers is easy. When paired with the exploitation of trust-based systems, this creates a toxic combination, particularly in the context of national defense.
It’s not just a tech debt issue, connecting all of our national security systems to unvetted OSS has created a cyber powder keg and a potential foothold for nation-state actors looking to damage our infrastructure or steal IP.
“Open source code is the invisible scaffolding for modern civilization.”
Fragility in the Commons
Open source works because it’s communal. Most critical projects are maintained by volunteers, operating solo with very minimal support, if any. A single line of insecure code in a popular library can cascade into a global supply chain failure. This emphasizes the tremendous amount of trust we place on the community.
Our digital backbone as a society is exhibiting troubling symptoms lately: Think Log4Shell. Think Heartbleed. Think SolarWinds or XZ. They’re symptoms of a larger structural problem: we’re building vital systems on an unmonitored foundation. If open source is where design starts then we should probably be monitoring those components and ecosystem continuously to flag suspicious, anomalous, and hostile behavior by the bad guys targeting the ecosystem everyday. Counting vulnerabilities down to zero isn’t going to help you here as these attacks never include a known CVE, continuously defeat vulnerability scanners with ease, and exploit trust in the open source ecosystem to pose as legitimate devs.
It’s time we put these threats in check.
From “Open” to Accountable
We don’t need to lock down open source. We need to respect it, fund it, and secure it. More importantly, it is imperative that we must hold ourselves accountable for the ways we depend on it. That means:
- Increasing visibility into the code we use. The code and the maintainers have to be reviewed. The days of solely focusing on code and CVEs are long gone. Using source code intelligence to continuously monitor the threats in Open Source is critical. We need to validate its good code maintained by good people.
- Understanding the provenance and maintenance model of critical dependencies. Your dependencies have dependencies. Use tooling that measures risk AND security for these components and can provide overall risk reduction measures. Validate you are using good code made by good people
- Supporting maintainers who hold up the digital scaffolding of democracy. There are big projects that have thousands of eyes on them, providing oversight. Examine the dependencies that those projects rely on, and explore the dependency tree further. There are others out there who would gladly welcome extra hands.
- Using SBOMs not just for compliance, but for resilience. If you are using a component that is vulnerable or exploitable, you should have a list of open source alternatives to use as a replacement.
Securing Our Future Means Securing Open Source
If we want a future where our systems are safe, our services uninterrupted, and our society resilient, we need to treat open source security as a public good. As a national security imperative and a shared responsibility.
Because if we don’t protect the commons, we’ll all pay the price.
Hunted Labs provides the most comprehensive software supply chain visibility tool for critical workloads, distributed teams, commercial organizations running at scale, and enterprises with revenue-generating applications. Learn more about our product, Entercept, here.
