Software Supply Chain Chalks Up a Security Win With New Crypto Effort

  /     /     /  
Publicated : 23/11/2024   Category : security


Software Supply Chain Chalks Up a Security Win With New Crypto Effort


GitHub, the owner of the Node Package Manager (npm), proposes cryptographically linking source code and JavaScript packages in an effort to shore up supply chain security.



Organizations hosting significant parts of the open source software supply chain continue to adopt security measures that give developers and maintainers more tools to harden their projects against attacks and malicious code commits.
On Monday, GitHub announced that the company — which owns and maintains the Node Package Manager (npm) service — had called for developers to comment on a plan to adopt sigstore, which simplifies the signing of code components produced by projects as well as linking them back to the source code. The sigstore project has made digitally signing source code easier because individual maintainers no longer have to manage their own cryptographic infrastructure.
The technology service allows software developers to confirm what code has been used to generate a particular software application or component, says Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSF), which maintains sigstore with the Linux Foundation.
The assembly of components into software platforms and applications — all of that has been done with the same kind of security we had on the Internet before TLS [Transport Layer Security], frankly, he says. We depended on a not necessarily misplaced but  high degree of trust that the infrastructure just did things for us or that there were not bad actors out there.
The
proposal
is the latest effort to make tools available to developers to secure the software supply chain. GitHubs npm, the Python Package Index (PyPI), and others have already urged developers to adopt two-factor authentication (2FA) to secure their accounts to prevent a compromise through a simple credential-based attack. GitHub, for example, has already moved the top 500 most-popular npm projects to 2FA and plans to require the security technology for any project with
more than a million downloads per week
.
Adopting digital signing of software packages is another critical step. In March, software security firm Sonatype 
announced it had
every intent to adopt sigstore as part of the Maven Central platform. Maven is the most popular source of Java software components and is maintained by Sonatype. PyPI has a specification called The Update Framework (TUF) that calls for
digital signing of software packages
, and the repository has
a sigstore module under development
.
The ability to attest that a program or executable came from a certain source code repository is an important step in securing the software supply chain, Justin Hutchings, director of project management for GitHubs security features, wrote in the blog post.
When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository, Hutchings said. Historically, linking packages back to the source code has been difficult because it required individual projects to register and manage their own cryptographic keys.
GitHub
acquired the Node Package Manager (npm)
in 2020.
The ability to sign code is fundamental to supply chain security. For example, a software bill of materials (SBOM) is a way to communicate to developers and security tools the components that make up a software project. Determining what software components and libraries are used in modern software projects is not always straightforward. Already, the US government has
created requirements
that any software sold to a federal agency needs to have an SBOM, but only
a third of companies currently use SBOMs
.
Another initiative, the
Supply Chain Levels for Software Artifacts (SLSA)
, pronounced salsa, provides developers and application security managers with a road map for securing software projects and communicating the software provenance.
You need to have integrity, and you need to understand the quality — SLSA is really around that integrity part, says Kim Lewandowski, one of the original creators of SLSA and a co-founder at Chainguard, a software security firm. A developer knows theyre getting this piece of software that is built around these dependencies and these are the [software] artifacts that went into it.
Sigstore works because the technology makes signing code much easier for developers. OpenSSFs Behlendorf likens the platform to the Lets Encrypt service, which makes the keys for securing websites freely available and easy to deploy. Making any security technology easy to use is critical, he says.
Greater security in open source software is going to come, not just by helping people write better code, he says. It is not just going to come from a lot of people finding zero-days, and getting those fixed and fixes pushed out. It is going to come from having tooling that will make having better security throughout the supply chain a zero lift for developers. If they even have to have a feature flag turned on, that is too much.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Software Supply Chain Chalks Up a Security Win With New Crypto Effort