Kaspersky Open Source Software Threats Data Feed

2023: CodeScoring Integration

Kaspersky Lab and Profiscope announced the integration: the Kaspersky Open Source Software Threats Data Feed vulnerability data service is now available to CodeScoring users. Web Control (WEB Control DC) announced this on October 18, 2023.

Kaspersky Open Source Software Threats Data Feed supplies data that is not in public vulnerability databases. This includes components with undeclared capabilities, for example, displaying unwanted information due to geopolitics, and packages containing unsafe software such as cryptominers or malicious tools. The information is delivered to the customer in JSON format.

CodeScoring is a tool for using this data: it automates the validation of open source components and provides developers with analysis results.

The use of ready-made packages in development is a generally accepted practice that saves time on creating software. However, it is important to be mindful of the risks of supply chain attacks, which increased especially in 2022, when many compromised and malicious packages were discovered in popular repositories. It is important for companies to check third-party components to reduce the risks of using them. Security risks when using open source are assessed, as a rule, through SCA systems that collect open information from international vulnerability databases.

CodeScoring is a Russian OSA/SCA solution that secures the use of Open Source components and protects the supply chain at all stages of the software lifecycle. The solution allows you to collect and manage information about the open source components used and monitor security risks, as well as license and operational risks, according to configured policies. Before integration, the CodeScoring solution used vulnerability information from 15 ecosystem vulnerability databases, such as, for example, NIST National Vulnerability Database (NVD), GitHub Security Advisory (GHSA), Open Source Vulnerabilities (OSV) and Sonatype OSSIndex. Integration with Kaspersky Lab makes it possible to receive more information about open packages and configure more effective security policies.

As of October 2023, Kaspersky Open Source Software Threats Data Feed contains information about 42 thousand vulnerabilities in more than 10 thousand packages, and 11 thousand malicious or potentially dangerous hacker utilities of open source packages that are located in popular repositories. The feed contains information about malicious and vulnerable packages that were found in popular repositories. At the same time, malicious components were most often found in the Npm and PyPi repositories.

Distribution by threats in vulnerable packages, Kaspersky Lab data

User safety is a priority for our company. Recently, the business has been actively implementing ON open source solutions. We are grateful to Profiscope for integrating our service into the CodeScoring solution. As a result, users received a fully functional compositional analysis solution, strengthened by Kaspersky Lab's 25-year expertise in the field. cyber security This has a positive impact on increasing the level of security of customers' products and systems, "said Oleg Shaburov, Business Development Manager at Kaspersky Threat Intelligence.

Cooperation with Kaspersky Lab is a serious step for our common business in the field of domestic cybersecurity, "said Alexey Smirnov, founder and CEO of Profiscope. - Kaspersky Lab has deep expertise in detecting malware and working with vulnerable components. Our integration gives developers comprehensive information about the security of Open Source components, which is important for Russian companies especially in difficult conditions. It strengthens supply chain protection mechanisms against malicious components entering the development loop, provides additional information on vulnerable components to our customers, and ultimately creates secure IT products that strengthen national technological sovereignty.

2022: Product Announcement

In December 2022, Kaspersky Lab introduced a free service to identify bookmarks in open source software. The company claims that this is the first platform of its kind in Russia. It was named Kaspersky Open Source Software Threats Data Feed.

Developers often use off-the-shelf open source packages when performing their tasks. There are several large repositories where specialists can find a component suitable for their project. However, such packages may contain accidental or intentional vulnerabilities, as well as malicious code. Moreover, sometimes the creators of the package deliberately bring the executable code of the program to a view that preserves its fan

Kaspersky Lab presented a free service for identifying bookmarks in open source software

With the data flow of Kaspersky Open Source Software Threats Data Feed, developers will be able to avoid vulnerable and compromised packages. These include packages that contain political slogans or change their functionality in certain regions (for example, block functionality in the Russian Federation). The feed is provided in JSON format.

By December 2022, Kaspersky Open Source Software Threats Data Feed already contains information about about three thousand vulnerable and malicious packages hosted in popular repositories. In dozens of packages, undeclared capabilities were recorded, including the display of unwanted political information. Some of the compromised components have been downloaded tens of thousands of times by users. According to Kaspersky Lab, among the vulnerabilities found in Open Source packages, about 35% are High and about 10% Critical.