At his swamp event, JFrog today launched Project Pyrsia, an open-source project that uses a blockchain platform and Signstore Cosign and Notary V2 cryptographic signature software to secure software packages. In addition to JFrog, other contributors to the project include Docker, Inc., DeployHub, Futureway, and Oracle.
Stephen Chin, vice president of developer relations for JFrog, said Project Pyrsia will allow organizations to establish a chain of provenance for open source software components stored in a secure network of repositories.
Indeed, Project Pyrsia uses decentralized Web3 technologies to secure the open source supply chain, Chin noted. This approach to validating the integrity of software components using a blockchain platform will ensure that any software component used by developers has not been compromised, he added.
Ultimately, the goal is to contribute to the Pyrsia project at the Open Source Security Foundation (OpenSSF), a branch of the Linux Foundation which, as a consortium, seeks to coordinate efforts to better secure open source software. . JFrog’s own research efforts identified more than 20 different open source software supply chain attacks, including two involving zero-day threats for which there was no immediate software fix available. Cybercriminals target open source projects because any included malware will later appear in a number of downstream applications. Their ultimate goal is to activate this malware at a time of their choosing.
Securing open source software has become a more pressing issue following the discovery last year of the log4shell zero-day vulnerability that impacted Java applications. Many developers routinely reuse open source software, but many of these projects are maintained by a small number of programmers who voluntarily devote their time and effort to creating components that others are free to use. Like any other developer, the level of security expertise of these people is limited; the responsibility for ensuring that the software is secure rests with the organizations that decide to deploy it. The problem is that many developers assume the software is more secure than it actually is. Initiatives like Project Pyrsia are part of a greater effort to make it easier for maintainers to secure open source software.
It’s unclear whether security concerns are causing organizations to review the amount of open source software they consume. Most organizations are more dependent on open source software than they realize because most packaged applications will include open source components. Each time a zero-day vulnerability is discovered, companies can spend months tracking down all instances of an open-source component that might be vulnerable.
In theory, an increased focus on open source software should lead to greater adoption of DevSecOps best practices that reduce the number of vulnerabilities in production environments. In the meantime, a closer examination of open source software components is needed, given that they are used by almost every organization.