Open Source Software

Open Source Software Security Analysis at NTC

We all use it every day, but are rarely aware of it: Open Source Software (OSS). It is usually developed by dedicated individuals or small organizations with limited resources. This often leads to less comprehensive and professional security reviews. As a result, vulnerabilities or even backdoors are often found in open source software.

Vulnerabilities vs. backdoors: It is important to distinguish between vulnerabilities and backdoors:

• Vulnerabilities are usually caused by flaws in the design or implementation of software and are therefore often technical in nature. Prominent examples include Log4Shell in Log4j (CVE-2021-44228) or the recently discovered regreSSHion in OpenSSH (CVE-2024-6387).
• Backdoors, on the other hand, are deliberately crafted with malicious intent, often developed over extended periods and secretly planted in software libraries to evade detection. This is achieved by exploiting weaknesses in the process that controls who is allowed to make changes to a software component. Prominent examples are the XZ Utils backdoor (CVE-2024-3094) or the discovered vulnerabilities in the CocoaPods dependency manager (CVE-2024-38368), which allowed attackers to introduce manipulated software.

Whether by accident or design, vulnerabilities are finding their way into our digital systems. From the thousands of servers that keep the digital world running, to the billions of smartphones without which widespread digitization would be almost impossible. If left undetected, these vulnerabilities can cause great harm to the stability of the digital and physical world, freedom of expression, and education.

How does the NTC contribute?

One of NTC's main focuses is to perform technical security analysis to identify and fix vulnerabilities in open source software.

Focus on Switzerland: The NTC focuses on open source software that is of particular importance to Switzerland. The audits are done on its own initiative and with its own resources. These efforts are meant as an addition to international initiatives such as the Google Open Source Software Vulnerability Reward Program or the Open Source Security Foundation (OpenSSF) of the Linux Foundation. This way, the NTC helps to ensure that less well-known but critical software is also thoroughly tested.

By strengthening the security of open source software, the NTC contributes to Switzerland's digital resilience. Several examples of vulnerabilities in OSS projects that have already been fixed are listed on the NTC Vulnerability Hub.

Related Links:

• LinkedIn, July 12, 2024: Sicherheitsanalysen von Open Source Software am NTC
• Schweizerischer Gemeindeverband, January 15, 2025: Umfrage: Cybersicherheit von Open Source Software
• NTC Vulnerability Hub: Open Source Vulnerabilities