One of the great virtues of open source software – that anyone can contribute – is also one of its greatest weaknesses.
The problem is that the supply chain type process by which projects involving multiple contributors come together is based to a large extent on the belief that no one will introduce malicious code or backdoors that sabotage a project.
As open source has increasingly infiltrated business and enterprise applications, however, some people see self-confidence as a vulnerability. Kim Lewandowski and Dan Lorenc of the open source security team at Google LLC recently noted that the process of installing most open source software today “is like picking up a random USB drive from the sidewalk and walking away.” plug into your machine ”.
Software supply chain attacks are increasingly frequent and sophisticated. The European Union Cyber Security Agency expects the number of supply chain attacks to quadruple this year. A 2020 GitHub Inc. study reported that the average software project now has over 200 open source dependencies.
SolarWinds Worldwide LLC’s massive breach last year was essentially an attack on the software supply chain. In 2018, AO Kaspersky Lab said it had discovered a new type of spyware that infects smartphones and that was distributed through landing pages designed to mimic mobile operator websites. Late last year, researchers discovered an attack originating from “trojanized” software updates to a SolarWinds monitoring application. And last spring, cybersecurity firm Rapid7 Inc. said it had suffered a supply chain breach resulting from its use of software from an auditing company.
“The problem with supply chains is that no two are alike and there is no trust around who gets what from whom,” said Luke Hinds, head of the chain. security engineering at Red Hat Inc.
Hinds and a team of developers from Red Hat, Google, the Linux Foundation and Purdue University recently teamed up on an open source solution. Sigstore, which is organized under the wing of the Linux Foundation, is an automated approach to digital signing and verifying software components to verify origins and authenticity. It’s free, open, and nearly impossible to sabotage, the developers say.
“In many ways this was the right project at the right time,” said Hinds. “We started as soon as a lot of high profile attacks happened. “
The project combines several open source technologies such as Fulcio root CA, Cosign for signing and verifying software containers and Rekor for secure and transparent supply chain management into a single resource that manages digital signature. , verification and provenance controls. The goal is to verify the origins of software in order to make it safer for developers to adopt open source components. Sigstore provides free software certifications without the need to manage keys, which many developers are reluctant to use for fear that the keys will be lost.
“People know the keys improve their posture, but it creates a lot of responsibility,” said Hinds. “What happens if the developer is hit by a bus? “
The Sigstore code will not be encrypted, Hinds said, “but when it is packaged it will be signed, so when you receive this package it will be associated with an identity. You have the confidence to establish that it is inviolable.
The security scheme uses OpenID Connect, a simple identity layer on top of the widely used OAuth protocol that many website operators used to enable secure connections through third-party verified credentials.
Transparency above all
“All we ask is your email address,” said Hinds. “We ask the vendor for the identity and issue you a challenge that fixes a key pair to an identity. We also use a transparency log, which is similar to a blockchain ledger, which can be audited but not changed. Lost keys are not a problem because “we got this snapshot on time,” he said.
The development process has been transparent. Sigstore has its own root CA which was created on a live stream with participants from industry and academia who gathered keys to create a master file “like Ghostbusters traversing streams,” Hinds said. “We launched an open-air certification authority with live questions and answers to verify authenticity. “
While Sigstore can be used to digitally sign any asset, Hinds said, “I don’t think we’re going to put a lot of crypto companies out of business. We are going more for the open source community. The service is currently in public beta testing and the developers hope to launch a mature version with full guarantees by the end of the year.