Ironically, he said, one of the biggest reasons given for the world to use open source code is that it’s readily reviewable, so anyone can look at it to see and stop vulnerabilities. “But the reality is that almost no one security reviews any of the tens of millions of lines of open source code,” he pointed out.
“There have been dozens of open source projects that attempted to implement more default code review and all have failed,” he said. “One of my favorite related quotes of all time is, ‘Asking for users to review open source code before using is like asking passengers of an airliner to step outside the jet and review it for flight safety before they fly.’ I’m not sure who said that first, but it’s a brilliant summary of why volunteer open source code review really doesn’t work.”
Typosquatting
One favorite tactic of threat actors trying to infect the open source software supply chain is typosquatting, the creation of packages with names similar to those of legitimate ones to trick unwitting developers searching for a particular library. For example, in 2018 a researcher found that threat actors had created phony libraries in the Python repository called ‘diango,’ ‘djago,’ ‘dajngo,’ to dupe developers seeking the popular ‘django’ Python library.
