Linux admins,

Open source started as a way for hackers (the good guys) to create tools for themselves and others to solve a particular problem. Then, businesses adopted the methodology to increase efficiency and innovation and to develop products their customers want more cost-effectively. But what happens when an application is developed with the full resources of a business (or state-sponsored threat actors) and contains a well-placed backdoor or subtle bug that potentially impacts a modern software supply chain?

Russia or Iran doesn't need to attack us directly. Those nation-state actors could dedicate infinite resources to creating that indispensable app we all use in exchange for potentially gaining control of the thousands of people using it.

That's exactly what happened with easyjson, a package designed to simplify the process of creating JSON files by the same people who host mail.ru.

Read on to learn the secrets hidden within the code, how you might be impacted, and thoughts on what we should do to prevent similar attacks in the future.

I'll also explain how you can use open-source tools to overcome Software-as-a-Service (SaaS) security risks.

Please share this newsletter with your friends to help them gain critical Linux security insights. Is there a Linux security-related topic you want to cover for our audience? We welcome contributions from passionate, insightful community members like you! 

Yours in Open Source,

Dv Signature Newsletter 2024 Esm W150

Dave Wreski

LinuxSecurity Founder

The Hidden Risks of Russian-Linked Open-Source Tool easyjson

32.Lock Code Circular Esm W400

Open-source tools are the backbone of countless systems, from cloud-native infrastructure to enterprise-level applications. But what happens when a widely used open-source library carries hidden risks?

This is the unsettling case with easyjson, a popular Go package for high-performance JSON serialization. While easyjson’s efficiency has made it a go-to dependency for projects like Kubernetes and Helm, the tool’s origins—and ongoing ties to Russia’s VK, a state-linked tech giant—raise serious security concerns. VK’s history of government collaboration and its sanctioned ownership has led Hunted Labs researchers to suggest that it could weaponize easyjson in ways that could compromise critical U.S. systems.

This presents an urgent challenge for us admins and open-source community members: safeguarding our organizations against potential supply chain threats, backdoors, and espionage risks. The good news? We can mitigate these risks by auditing dependencies, adopting alternative libraries, and staying engaged with the open-source security community working to combat these concerns.

Let’s examine how easyjson is used, why its ties to VK are cause for concern, and what steps you can take to mitigate these risks while continuing to rely on open-source tools.

Learn About the Hidden Risks of easyjson>>

Overcoming SaaS Security Risks with Open-Source Tools

27.Tablet Connections Blocks Lock Esm W400

The explosive growth of Software-as-a-Service (SaaS) applications in recent years has ushered in new conveniences and risks. For us Linux security admins, safeguarding SaaS environments isn't just a nice-to-have; it’s a critical responsibility. These cloud-based tools often integrate deeply with infrastructure, access sensitive data, and interact with APIs, which means any security gaps could ripple into the core systems that we Linux admins strive to protect. Add to this the rise of shadow IT, overly permissive access levels, the ever-growing number of machine identities, and the complexities of modern SaaS security become clear.

The challenges are real: weak or exploited multi-factor authentication (MFA), excessive API privileges, and unmonitored third-party tools are just a few pain points that organizations are grappling with, as revealed in a recent survey by the Cloud Security Alliance and Valence Security. But the good news is that we Linux admins have a robust arsenal of open-source tools to counter these challenges. From HashiCorp Vault for managing secrets to Open Policy Agent (OPA) for enforcing policies, practical solutions exist to help us unify and strengthen SaaS security. We’ll dive into why SaaS security is essential, explore the top risks to watch out for, and share our top open-source tools that can make this daunting task more manageable. 

Learn About SaaS Security Tools>