In the 10th edition of its ENISA Threat Landscape (ETL), the EU’s cybersecurity agency explicitly warns of increasing threats from hacking attacks on public sector entities.

Around a quarter of all security related incidents target administrative or government entities, the ENISA study reports – making the public sector nearly twice as much at risk as hosters and providers, who come in second at 13 %. More than ever, users should protect their networks – for example, with products from Greenbone.

The number one threat still are extortionate ransomware attacks, followed by malware and social engineering, e.g. where attackers try to obtain passwords from employees via telephone.

Geopolitics doesn’t stop at the public data center

However, things have changed in the last two years – not only the war in Ukraine ensured that “geopolitical aspects have a significantly greater influence” on threat scenarios, the ENISA authors write. Attacks are becoming more destructive, motivated by the armed conflict and are being flanked by targeted disinformation campaigns – which are increasingly directed against public institutions.

Businesses and government agencies, however, are worried by the fact that attackers have gained in skill level, aggressiveness and agility since 2021. The better organizations have adapted their cybersecurity programs and thus their defenses to the threat environment, the more they have forced attackers to adopt newer attack vectors, to the point of developing new, unknown zeroday exploits and more. At the same time, hacker groups are constantly becoming more agile, renaming themselves and continuously regrouping, further complicating attribution (matching an attack to individuals).

Progressive professionalization of attackers

As if that weren’t enough, the hacker-as-a-service model continues to gain traction; people are becoming more professionalized. Attacks are also increasingly targeting the supply chain, managed service providers and are becoming more and more, as they have been doing every year, especially in the upcoming reporting period – the phase at the end of a fiscal year when reports relevant to the stock exchange may have to be prepared.

What is new, however, according to ENISA, is the increase in hybrid threats, which are also fueled by state actors and software. The study specifically cites the spyware “Pegasus” developed by the Israeli government, as well as phishing and attacks on data infrastructures.

Machine learning and artificial intelligence

The professionalization of attacks has had a particularly fatal effect, because they have become much more sophisticated through the use of machine learning and artificial intelligence. For example, there are already bots that act as deep fakes, disrupt chains of command, and are also capable of disabling government institutions with masses of fake comments.

ENISA groups the typical attackers into four categories: State-sponsored, organized crime (cybercrime), commercial hackers (“hackers for hire”), and activists. The goal of all these attackers is usually unauthorized access to data and disruption of the availability of services (and in many cases the associated extortion of ransom money), they said.

Vulnerability Management protects

The only safe option that government agencies and companies have to counter these attacks is Vulnerability Management, which allows them to look at their own IT infrastructure from the outside, from the perspective of a potential attacker. This is the only way to identify and close security gaps before an attacker succeeds.

This is exactly where our Vulnerability Management products come in – as a hardware or virtual appliance or in the Greenbone Cloud Service. Greenbone develops an Open Source Vulnerability Management and allows users to detect vulnerabilities in their own network infrastructure within a few steps. Our products generate reports with concrete action instructions that you can implement immediately.

We work strictly according to German/European law and offer an Open Source solution. This means best data protection compliance and is thus guaranteed free of backdoors.

Greenbone: Many years of experience in the public sector

For many years, Greenbone has been offering customized products for the public sector, e.g. for requirements of higher security levels (classified, VS-NFD and higher).

Even networks that are physically separated from other networks can be scanned for vulnerabilities with Greenbone. Such areas separated by an “air gap” often occur in public authorities when network segments must be operated separately from the Internet and the rest of the public authority network due to a special need for protection. Greenbone’s products support strict airgap via special USB sticks, but also data diodes that allow traffic in one direction only.

No matter if you already have a frame contract with us or if you contact us for the first time, e.g. via the form on our website: We are happy to help you. Greenbone can look back on many years of experience with public authorities and is always ready to help you with words and deeds. Contact us!


The EuGH ruling known as “Schrems-II” on secure data exchange with the US has left a lot of legal uncertainty: Companies urgently need to adapt their contracts and a new solution is not in sight. It is time to switch to modern, data protection compliant and legally secure tools – such as the Greenbone Cloud Service for Vulnerability Management.

Data Security GDPR COMPLIANT

The “EU-US Privacy Shield” agreement, which attempted to regulate data protection in data transfers between the EU and the US (and other third countries), also failed to meet Europe’s requirements, its highest court ruled. In mid-July 2020, the European Court of Justice ECJ also declared the Privacy Shield invalid, following “Safe Harbor.”

Lack of legal certainty and renewed work

For many companies, this brought not only uncertainty, but also very concrete work: New standard contractual clauses (SCC) in accordance with the requirements of the EU Commission must be created. Time is pressing here: the EU’s “guardian of the treaties” will require new SCCs for old contracts as well from December 27, 2022.

Even more annoying, however, is that the future of transatlantic data processing also remains uncertain. According to experts, a decree by the U.S. president in October 2022 is likely to be just as short-lived as the predecessor regulations overturned by the ECJ. The legal areas are too different for a permanent, binding solution to be found. The only safe solution is to rely on legally secure products that comply with the GDPR from the outset.

Greenbone Cloud Service: GDPR-compliant Vulnerability Management already today

When it comes to vulnerability management, this is already possible today, quite simply with the Greenbone Cloud Service. It enables high-quality Vulnerability Management as a Service and allows users to detect vulnerabilities in their own network infrastructure (without installing virtual or hardware appliances) within a few steps and generates instructions for their remediation in the form of reports. Scan requests from the client network reach the scan clusters via cloud management, which do the core work and return the information for the reports more information here in the datasheet).

For both centrally managed networks and distributed environments that require high scalability, the Greenbone Cloud Service is perfect. The platform is ready to use within minutes without any local components. Users can start using the results immediately.

In addition, the Greenbone Cloud Service already ensures legal security and GDPR-compliant Vulnerability Management for all cloud customers today, because data processing takes place exclusively in German data centers, i.e. in the European legal area and within the scope of the GDPR. Data transfer of any kind to the USA or other third countries that cannot guarantee adequate data protection is thus excluded.

Try Greenbone Cloud Service for free

As a “trial”, the Greenbone Cloud Service is free of charge for 14 days. Users can try it out quickly, without special know-how directly in the web browser – during this time they can scan 2 external as well as 20 internal IP addresses. A direct upgrade to a valid subscription is possible at any time. The Greenbone Cloud Service Trial uses the daily updated Greenbone Enterprise Feed.

With its help, Greenbone automatically tests your IT network and all connected devices for more than 100,000 vulnerabilities and provides you with a daily updated, accurate status of the security situation in your company. Because the vulnerability check also provides you with information on the severity level at the same time, you can prioritize the identified vulnerabilities and the measures to be taken.

Vulnerability Management that looks at your IT infrastructure from the outside is indispensable in modern companies. With the perspective of a potential attacker, so to speak, you can ideally find every existing vulnerability in your IT infrastructure and take care of its elimination. Only those who know their vulnerabilities can implement security measures in a targeted manner.


Greenbone is stepping up its commitment to open source and the community edition of its vulnerability management software. In addition to the open source code on Github, Greenbone now also provides pre-configured and tested Docker containers.

Official containers from the manufacturer itself

The Greenbone Community Containers are regularly built automatically and are also available for ARM and Raspberry Pi.

Björn Ricks, Senior Software Developer at Greenbone, sees this as a “big improvement for admins who just want to give Greenbone a try. Our official containers replace the many different Docker images that exist on the web with an official, always up-to-date, always-maintained version of Greenbone.”

Official Docker Container for Greenbone Community Edition

Hi Björn, what is your role at Greenbone?

Björn Ricks: One of my current tasks is to provide community container builds at Greenbone. Taking care of the community has always been a big concern of mine and for a long time I wanted to make sure that we also provide “official” Docker images of Greenbone. I’m very pleased that this has now worked out.

What is the benefit of the images for the community?

Björn Ricks: We make it much easier for administrators and users who want to test Greenbone. The installation now works completely independent of the operating system used: just download and run the Docker compose file that describes the services, open the browser and scan the local network. I think that’s a much lower barrier to entry, ideal even for anyone who doesn’t yet know the details and capabilities of our products.

Why does Greenbone now provide containers itself? There were already some on the net, weren’t there?

Björn Ricks: Yes, that’s right, but we found out that some people were unsure about the content, legitimacy and maintenance of these images. That’s why we decided to offer Docker images signed by us with verified and secured content.
All the container images existing on the network have different version status and even more so different quality grade. It is often impossible to tell from the outside whether an image is “any good” or not. Of course, you also have to trust the external authors and maintainers that they know what they are doing and that their images do not contain any additional security vulnerabilities. Only we, as producers of our own software, can guarantee that the published container images have the current version status and the desired quality grade.

Does Greenbone also plan to provide Docker images for its commercial product line, Greenbone Enterprise Appliances?

Björn Ricks: That depends on requests from our commercial customers. The Greenbone Community Edition includes access to the community feed with around 100,000 vulnerability tests. Our commercial feed contains even more tests, including those for many proprietary products that our customers use.

We have found that our customers are happy with our appliances, our virtual appliances, and our cloud solution – all of which qualify for use of the commercial feed subscription. However, this could change, and if it does, we will consider offering Docker containers to commercial customers.

How often are the images updated and what feed is included?

Björn Ricks: The images are built and published directly from the source code repositories. So they are always up to date and contain all patches. At the moment only the community feed is available for the images, but this might change in the future.

Where can I get the images and the documentation?

Björn Ricks: The Docker compose file for orchestrating the services is linked in the documentation, The Dockerfiles for building the Docker images can also be found on Github in the corresponding repositories, and are quite easy to download, for example: here.


Greenbone, the global leader in open source vulnerability management solutions, has launched a community portal for its user and developer community, making the extensive information available for community editions clearer and easier to access.

Community Portal Greenbone

Who is the portal for?

At community.greenbone.net, vulnerability management experts invite users, developers and all IT professionals who are professionally involved in security and protection against hackers to browse forums, blogs, news and documentation and help shape the pages.

Central point of contact
“Our new Community Portal is the central place where users, experts, Greenbone employees and anyone else interested can meet and get up-to-the-minute information about the products, the company or new features,” explains Greenbone’s Community Manager DeeAnn Little: “We want the portal to be a home for the large, worldwide Greenbone community, with all the links and information anyone who works with our vulnerability management tools needs.”

What the new portal offers
For both Greenbone OpenVAS and the Greenbone Community Edition, you can find (under “Getting started“) numerous instructions on how to install and configure the community versions. In addition, there are news and updates, for example about the recently released Docker container releases of the Community Edition but also current figures about Greenbone installations on a world map and a completely revised forum with new categories and Blog.

For the community, with the community
“All this would not be possible without the numerous contributions from the Greenbone community, but at the same time this is only the first step,” explains Little: “In the future, we will also have our experts explain technical details and present new features here.

Greenbone invites the large community to give input and suggestions which topics are of relevance and interest for them Little explains:

“We welcome all input and all suggestions, ideas and ideas for improvement, which is exactly what the portal is here for. Send us your questions, any questions! What have we missed? What would you like to see? How can we make the portal, the forum and the new pages even better? What topics would you like to see – what should we report on?” You can leave your statement here, we will be glad to reveive it.

Greenbone Community Forum in a new look

Greenbone has also integrated the popular User Forum into the Community Portal. With the new look, it will continue to provide users of Greenbone’s software – regardless of their technical background – with a platform for ideas, mutual help, but also feedback.

“The forum is a place where users can meet and help each other as equals – it’s a place of exchange where we can always learn, too,” Little explains. “Whether it’s a beginner’s question, more in-depth howtos, or getting started guides, many a user will find help from experienced users in the forum, even in exotic setups.”


Greenbone, a world leader in open source vulnerability management software, has released its latest scanner, Notus.

“With Notus, a milestone for the performance of extensive comparisons of software versions has been created in recent years,” explains CIO Elmar Geese.

With Notus, Greenbone is also responding to customer requests for better performance in version checks. Whether a security vulnerability is dangerous for a company depends mainly on the installed software versions and their patch level. In very many cases, a vulnerability scanner must therefore match a large number of software versions and detect combinations of these. As the complexity of the setups increases, this test becomes more and more extensive. However, because the overall result of the scan also depends heavily on this data collection, Notus will enable such scans much faster than any of its predecessors.

Faster thanks to JSON

“The scanner rattles off the relevant servers and captures software running there. For the actual scan, it essentially only gets the info about affected and fixed packages,” explains Björn Ricks, Senior Software Developer at Greenbone. “With the previously used scanner and its predecessors, we usually had to start a separate process per version check, meaning a separate manually created script. Generating these scripts automatically is time-consuming.” Notus, on the other hand, only loads the data it needs from JSON files. Ricks sums it up, “Notus is significantly more efficient, requires fewer processes, less overhead, less memory, …”

CIO Geese then also declares the Notus scanner to be a “milestone for our users, it improves the performance significantly. Our well-known high detection quality as well as performance, central goals of our product strategy, will be optimally supported by the new scanner.”

Notus, Greenbone and OpenVAS

The Notus project consists of two parts: a Notus generator, which creates the JSON files containing information about vulnerable RPM/Debian packages, and the Notus scanner, which loads these JSON files and interprets the information from them.

OpenVAS, the Open Vulnerability Assessment System, was created in 2005, when the development team of the Nessus vulnerability scanner decided to stop working under open source licenses and move to a proprietary business model.

Since 2008, Greenbone has been providing professional vulnerability scanning support. For this purpose, Greenbone took over the further development of OpenVAS, added several software components and thus transformed OpenVAS into a comprehensive vulnerability management solution that still carries the values of free software. The first appliances came onto the market in spring 2010.

Microsoft Office has released patches for the Follina vulnerability CVE-2022-30190 (Follina) with the June 14, 2022 Windows Security Update. Appropriate vulnerability tests have been implemented in the Greenbone Enterprise Feed and the Greenbone Community Feed, allowing you to test your network for the vulnerability and take protective measures using the patches. Read more information about the latest Follina update here.

The vendor refers to the following security updates to close the vulnerability:

  • KB5014678: Windows Server 2022
  • KB5014697: Windows 11
  • KB5014699: Windows 10 Version 20H2 – 21H2, Windows Server 20H2
  • KB5014692: Windows 10 Version 1809 (IoT), Windows Server 2019
  • KB5014702: Windows 10 1607 (LTSC), Windows Server 2016
  • KB5014710: Windows 10 1507 (RTM, LTSC)
  • KB5014738: Monthly Rollup Windows Server 2012 R2, Windows RT 8.1, Windows 8.1
  • KB5014746: Security only Windows Server 2012 R2, Windows RT 8.1, Windows 8.1
  • KB5014747: Monthly Rollup Windows Server 2012
  • KB5014741: Security only Windows Server 2012
  • KB5014748: Monthly Rollup Windows Server 2008 R2, Windows 7 SP1
  • KB5014742: Security only Windows Server 2008 R2, Windows 7 SP1

This means that security updates are available for all versions of Windows Server and Client that are still in support. The vulnerability is rated as “important”, which means that users should install the updates promptly to close the gap.
Microsoft said, “The update for this vulnerability is included in the June 2022 Windows Cumulative Updates, and Microsoft strongly recommends that all customers install the updates to fully protect themselves from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to perform any further actions.”

Follina Update

Installing the June 14 patches is all the more important because attackers and security professionals have already found several ways to exploit the vulnerability, but Microsoft has so far only offered workarounds (see also our blog article).
Greenbone has integrated corresponding vulnerability tests into the Greenbone Community Feed and the Greenbone Enterprise Feed and thus offers the possibility to test the network for this vulnerability and to take protective measures if necessary or to use the new Microsoft patches.

Once again, a flaw has surfaced in Microsoft Office that allows attackers to remotely execute malicious code on the systems of attacked users using manipulated documents. Known as Follina, CVE-2022-30190 has been known for years, but Microsoft has not fixed it to date. Greenbone has added an appropriate vulnerability test to their feeds to detect the new Follina vulnerability in Microsoft Office.

Follina (CVE-2022-30190)

Follina Requires Immediate Action

The CVE named “Follina” is critical and requires immediate action: just opening Microsoft Word documents can give attackers access to your resources. Because a flaw in Microsoft Office allows attackers to download templates from the Internet via ms-msdt:-URI handler at the first click, attackers can create manipulated documents that, in the worst case, can take over entire client systems or spy on credentials.

According to Microsoft, the “protected view” offers protection. However, because users can deactivate this with just one click, the US manufacturer advises deactivating the entire URL handler via a registry entry. As of today, all Office versions seem to be affected.

Greenbone Enterprise Feed Helps and Protects

The Greenbone Enterprise Feed and the Greenbone Community Feed now contain an authenticated check for Microsoft’s proposed workaround, helping you to protect yourself from the impact of the vulnerability. Our development team is monitoring the release of Microsoft patches and recommendations for further coverage. We will inform about updates here on the blog.

Securing IT Networks for the Long Term

If you want to know which systems in your network are (still) vulnerable to vulnerabilities – including the critical vulnerability associated with CVE-2022-30190– our vulnerability management helps you. It applies to systems that definitely need to be patched or otherwise protected. Depending on the type of systems and vulnerability, they can be found better or worse. Detection is also constantly improving and being updated. New gaps are found. Therefore, there may always be more systems with vulnerabilities in the network. Thus, it is worthwhile to regularly update and scan all systems. For this purpose, Greenbone’s vulnerability management offers appropriate automation functions.

Vulnerability management is an indispensable part of IT security. It can find risks and provides valuable information on how to eliminate them. However, no single measure, including vulnerability management, offers 100 % security. To make a system secure, many systems are used, which in their entirety should provide the best possible security.

Greenbone is now a TISAX participant and its Information Security Management System (ISMS) and data protection processes are certified within the German automotive industry’s TISAX scheme. “We have taken this step as an effort in providing the best possible protection of sensitive and confidential information for our customers, as the next logical step after being successfully certified for worldwide accepted international industry standards like ISO 27001 and ISO 9001.” – Dr. Jan-Oliver Wagner, CEO of Greenbone. The results are available on the ENX portal using the Scope ID S3LW9L and the Assessment ID A1P7V9. TISAX and TISAX results are not intended for general public.

TISAX, the “Trusted Information Security Assessment Exchange”, is a mechanism for checking and exchanging test results according to industry-specific standards. Originally created as a system for the exchange of standardized test results in the automotive industry, it is optimized for the risk assessment of suppliers. Therefore, TISAX is being developed and governed by the ENX Association and published by the German Association of the Automotive Industry (VDA). Its focus lies on secure information processing between business partners, protection of prototypes and data protection in accordance with the EU’s General Data Protection Regulation (GDPR) for potential deals between car manufacturers and their service providers or suppliers.

As a crucial part of a secure supply chain, TISAX is a standard for Information Security Management Systems (ISMS), originally derived from the ISO/IEC 27001 standard in 2017, but has since diverged. For the automotive industry, TISAX brings standardization, quality assurance and guarantees information security measures are assessed by audit providers in accordance with the VDA standards. Audits according to TISAX, especially for service providers and suppliers, are carried out by so-called “TISAX audit service providers” and come with three levels of maturity an overview of which you can find in the TISAX Participant Handbook and on websites of certification providers like Adacor (German only).

Greenbone’s certifications increase our products’ value for our customers, not just by saving time and money, but also by proving our outstanding security level and high standards. Elmar Geese, CIO at Greenbone: “With TISAX, we document our independently audited security status. Customers do not need to do individual assessments, work with lengthy questionnaires or all the other things needed in a bottom-up audit. We guarantee that we meet their security requirements.”

Therefore, Greenbone follows the question catalogue of information security of the German Association of the Automotive Industry (VDA ISA). The assessment was conducted by an audit provider. The result is exclusively retrievable via the ENX portal (Scope ID: S3LW9L, Assessment ID: A1P7V9).


In networked production, IT and OT are growing closer and closer together. Where once a security gap “only” caused a data leak, today the entire production can collapse. Those who carry out regular active and passive vulnerability scans can protect themselves.

What seems somewhat strange in the case of physical infrastructure – who would recreate a break-in to test their alarm system – is a tried and tested method in IT for identifying vulnerabilities. This so-called active scanning can be performed daily and automatically. Passive scanning, on the other hand, detects an intrusion in progress, because every cyber intrusion also leaves traces, albeit often hidden.

Controlling the Traffic

Firewalls and antivirus programs, for example, use passive scanning to check traffic reaching a system. This data is then checked against a database. Information about malware, unsafe requests and other anomalies is stored there. For example, if the firewall receives a request from an insecure sender that wants to read out users’ profile data, it rejects the request. The system itself is unaware of this because the passive scan does not access the system but only the data traffic.

The advantage of this is the fact that the system does not have to use any additional computing power. Despite the scan, the full bandwidth can be used. This is particularly useful for critical components. They should have the highest possible availability. The fewer additional activities they perform, the better.

The disadvantage of passive scanning is that only systems that are actively communicating by themselves can be seen. This does not include office software or PDF readers, for example. But even services that do communicate do so primarily with their main functions. Functions with vulnerabilities that are rarely or not at all used in direct operation are not visible, or are only visible when the attack is already in progress.

Checking the Infrastructure

Active scans work differently and simulate attacks. They make requests to the system and thereby try to trigger different reactions. For example, the active scanner sends a request for data transfer to various programs in the system. If one of the programs responds and forwards the data to the simulated unauthorized location, the scanner has found a security hole.

Differences between active and passive vulnerability scans

Left: Active scans send queries to the system in an attempt to trigger different responses. Right: Passive scans check the traffic reaching a system and match this data against a database.

The advantage: the data quality that can be achieved with active scanning is higher than with passive scanning. Since interaction takes place directly with software and interfaces, problems can be identified in programs that do not normally communicate directly with the network. This is also how vulnerabilities are discovered in programs such as Office applications.

However, when interacting directly, systems have to handle extra requests which may then affect the basic functions of a program. Operating technology such as machine control systems, for example, are not necessarily designed to perform secondary tasks. Here, scanning under supervision and, as a supplement, continuous passive scanning are recommended.

Scanning Actively, but Minimally Invasive

Nevertheless, active scanning is essential for operational cyber security. This is because the risk posed by the short-term overuse of a system component is small compared to a production outage or data leak. Moreover, active scans not only uncover vulnerabilities, they can also enhance passive scans. For example, the vulnerabilities that are detected can be added to firewall databases. This also helps other companies that use similar systems.

Active and Passive Scanning Work Hand in Hand

Since the passive scanner can also provide the active scanner with helpful information, such as information about cell phones or properties about network services, these two security tools can be considered as complementary. What they both have in common is that they always automatically get the best out of the given situation in the network. For the passive and active scanning techniques, it does not matter which or how many components and programs the network consists of. Both security technologies recognize this by themselves and adjust to it. Only with a higher level of security does the optimized tuning of network and scanners begin.

So it is not a question of whether to use one or the other. Both methods are necessary to ensure a secure network environment. A purely passive approach will not help in many cases. Proactive vulnerability management requires active scans and tools to manage them. This is what Greenbone’s vulnerability management products provide.


Open source is unceasingly on the rise among the vast majority of companies, software manufacturers and providers. However, this triumphant advance is also increasing the importance of monitoring the supply chain of the software used, which third parties have developed in accordance with open-source traditions. But not everyone using open-source software follows all the tried and true rules. Greenbone can help track down such mistakes. This blog post explains the problem and how to avoid it.

Supply Chains in Open-Source-Software

 

Vulnerabilities in Log4j, Docker or NPM

At the end of 2021, the German Federal Office for Information Security (BSI) officially sounded the alarm about a remotely exploitable vulnerability in the logging library Log4j. At the time, critics of open-source software promptly spoke out: open-source software like Log4j was implicitly insecure and a practically incalculable risk in the supply chain of other programs.

Although the open-source developers themselves fixed the problem within a few hours, countless commercial products still contain outdated versions of Log4j – with no chance of ever being replaced. This is not an isolated case: recently, the story of a developer for NPM (Node Package Manager, a software package format for the web server Node.js) caused a stir, who massively shook the trust in the open-source supply chain and the development community with his actually well-meant protest against the war in Ukraine.

Open Source in Criticism

It was not the first time that NPM became a target. The package manager was already affected by attacks at the end of 2021. At that time, developer Oleg Drapeza published a bug report on GitHub after finding malicious code to harvest passwords in the UAParser.js library. Piece by piece, the original author of the software, Faisal Salman, was able to reconstruct that someone had hacked into his account in NPM’s package system and placed malicious code there. The problem: UAParser.js is a module for Node.js and is used in millions of setups worldwide. Accordingly, the circle of affected users was enormous.

Again, the open-source critics said that open-source software like UAParser.js is implicitly insecure and a practically incalculable risk in the supply chain of other programs. Even more: open-source developers, according to the explicit accusation, incorporate external components such as libraries or container images far too carelessly and hardly give a thought to the associated security implications. For this reason, their work is inherently vulnerable to security attacks, especially in the open-source supply chain. Alyssa Shames discusses the problem on docker.com using the example of containers and describes the dangers in detail.

The Dark Side of the Bazaar

DevOps and Cloud Native have indeed had a major impact on the way we work in development in recent years. Integrating components that exist in the community into one’s own application instead of programming comparable functionality from scratch is part of the self-image of the entire open-source scene. This community and its offer can be compared with a bazaar, with all advantages and disadvantages. Many developers place their programs under an open license, precisely because they value the contributions of the other “bazaar visitors”. In this way, others who have similar problems can benefit – under the same conditions – and do not have to reinvent the wheel. In the past, this applied more or less only to individual components of software, but cloud and containers have now led to developers no longer just adopting individual components, but entire images. These are software packages, possibly even including the operating system, which in the worst case can start untested on the developer’s own infrastructure.

A Growing Risk?

In fact, the potential attack vector is significantly larger than before and is being actively exploited. According to Dev-Insider, for example, in the past year the number of attacks on open-source components of software supply chains increased by 430 percent, according to a study by vendor Sonatype. This is confirmed by Synopsis’ risk-analysis report, which also notes that commercial code today is mostly open-source software. As early as 2020, cloud-native expert Aquasec reported about attacks on the Docker API, which cyber criminals used to cryptomine Docker images.

However, developers who rely on open-source components or come from the open-source community are not nearly as inattentive as such reports suggest. Unlike in proprietary products, for example, where only a company’s employees can keep an eye on the code, many people look at the managed source code in open-source projects. It is obvious that security vulnerabilities regularly come to light, as in the case of Log4j, Docker or NPM. Here, the open-source scene proves that it works well, not that its software is fundamentally (more) insecure.

Not Left Unprotected

A major problem, on the other hand – regardless of whether open source or proprietary software is used – is the lack of foresight in the update and patch strategy of some providers. This is the only reason why many devices are found with outdated, often vulnerable software versions, which can serve as a barn door for attackers. The Greenbone Enterprise Appliance, Greenbone’s professional product line, helps to find such gaps and close them.

In addition, complex security leaks like the ones described above in Log4j or UAParser.js are the exception rather than the rule. Most attacks are carried out using much simpler methods: Malware is regularly found in the ready-made images for Docker containers in Docker Hub, for example, which turns a database into the Bitcoin miner described above. Developers who integrate open-source components are by no means unprotected against these activities. Standards have long been in place to prevent attacks of the kind described, for example to obtain ready-made container images only directly from the manufacturer of a solution or, better still, to build them themselves using the CI/CD pipeline. On top of that, a healthy dose of mistrust is always a good thing for developers, for example when software comes from a source that is clearly not that of the manufacturer.

Supply-Chain Monitoring at Greenbone

Greenbone demonstrates that open-source software is not an incalculable risk in its own program with its products, the Greenbone Enterprise Appliances. The company has a set of guidelines that integrate the supply chain issue in software development into the entire development cycle. In addition to extensive functional tests, Greenbone subjects its products to automated tests with common security tools, for example. Anyone who buys from Greenbone is rightly relying on the strong combination of open-source transparency and the manufacturer’s meticulous quality assurance, an effort that not all open-source projects can generally afford.