GitHub takes steps to protect open source software from supply chain attacks


GitHub plans to use code-signing platform Sigstore to protect its open-source registry, which was hit by a cyberattack earlier this year.

GitHub, owned by Microsoft, offers a new strategy to strengthen the security of open source projects in the wake of recent supply chain attacks.

GitHub shared plans at a White House summit in January to up its game in the open source software security space. It came after security vulnerabilities such as the Log4Shell flaw raised concerns.

Now, the code repository plans to use code signing for its npm software packages using the Sigstore platform. It is a collaborative project of the Linux Foundation and the Open Source Security Foundation that aims to improve the integrity and verification of the software supply chain.

Code signing is a digital signature added to software, which aims to show users that the code has not been tampered with since it was verified. GitHub said it helps bind packages to its source repository, giving consumers confidence in security.

GitHub Director of Product Management Justin Hutchings said the process would help generate “attestations of where, when, and how the package was created.” He added that Sigstore is easier to use and more secure than previous methods because it doesn’t require developers to manage “long-lived cryptographic keys.”

“Securing the software supply chain is one of the biggest security challenges facing our industry today.” Hutchings said in a blog post. “This proposal is an important next step, but to truly solve this challenge will require commitment and investment across the community.”

GitHub announced a number of changes in recent months to improve npm’s security, adding two-factor authentication, simplified login, and “enhanced artifact signing” to protect its open source ecosystem.

But in April, GitHub said an attacker misused stolen OAuth user tokens to upload data from dozens of organizations to its site, including its npm registry.

Tzachi Zorenshtain, head of software supply chain at open source company Checkmarx, said code signing is a “great move” to close the gap an attacker could use to abuse the open ecosystem. source.

“We know that attackers will continue to explore the weakest link in the chain, and it is vitally important to raise the bar and respond to their attacks as quickly as possible,” Zorenshtain said.

10 things you need to know straight to your inbox every weekday. Sign up for the brief dailythe summary of essential science and technology news from Silicon Republic.


Comments are closed.