The Linux Foundation’s effort to improve software supply chain security standards got an infusion of funding this week from major IT vendors and other corporations, as the tech industry remains mired in a cybersecurity crisis.
The Open Source Security Foundation (OpenSSF) was founded a year ago within the Linux Foundation to host working groups dedicated to software supply chain security. This week, it announced it had raised $10 million in annual funding commitments led by Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk and VMware.
“As software developers, we tend to assume that we’re building on a set of known good developer tools,” Brian Behlendorf, who was appointed the OpenSSF’s general manager this week, said in a KubeCon press conference. “There’s all sorts of things we take for granted, which has led to [the software supply chain] becoming the new vector of attack for major compromises.”
Discussions within OpenSSF in the year since its founding have included the development of technical software security specs, such as the SPDX software bill of materials ISO standard, and supply chain security evaluation rubrics, such as Supply-chain Levels for Software Artifacts. A GitHub app, called Allstar, that enforces security policies within code repositories also resulted from OpenSSF’s efforts. The group created three developer training courses on secure software development fundamentals and a security certification program for open source projects called the Core Infrastructure Initiative Best Practices badge.
Other initiatives within OpenSSF include standards for scanning open source project code for malicious components, a repository of detailed security review records for open source software, a security scorecard system to indicate to users whether open source dependencies are safe to use and a guide to coordinated security vulnerability disclosure for open source projects. Newer initiatives include a digital identity attestation working group and plans to aid in the development of a Linux Foundation software attestation project called Sigstore.
“Officially, Sigstore is part of the Linux Foundation as a standalone project, [but] we are heavily affiliated with the OpenSSF, and a lot of discussions about the project happen there,” said Dan Lorenc, a founding contributor to Sigstore and CEO of software supply chain security startup Chainguard Inc., in an interview. “The initial design discussions and brainstorming for Sigstore happened in the OpenSSF’s Digital Identity Attestation Working Group, and the Sigstore founding team is also on the OpenSSF Technical Advisory Council.”
OpenSSF raises hopes, but follow-through is crucial
Software supply chain security has made headlines since the SolarWinds attack targeting major technology companies and government agencies was revealed in late 2020. But, despite raised awareness of the threat in the industry, attacks and compromises have continued; OpenSSF officials cited a 2021 report from security software vendor Sonatype that found software supply chain attacks had increased by 650% in the last year.
Larry CarvalhoIndependent cloud computing consultant
The SolarWinds attack and other breaches — such as the Colonial Pipeline hack in May — prompted President Joe Biden to issue an executive order directing federal and private sector entities to strengthen cybersecurity. Since then, major tech companies, including Google, Microsoft and Amazon, have announced their own cybersecurity initiatives; Google pledged to pour $10 billion into security efforts, and Microsoft, $20 billion.
OpenSSF’s $10 million in funding pales in comparison, but KubeCon attendees and presenters said open source efforts are crucial to making cybersecurity efforts accessible.
“Security needs to be made an essential part of everyone’s tech experience, but companies are out to monetize it, leaving a lot of folks vulnerable,” said Larry Carvalho, an independent cloud computing consultant, in an interview. “If this gets all companies participating and includes government agencies, we can finally get ahead of the security problems. … Making this a community effort can have far-reaching implications.”
It’s especially important for software security supply chain problems to be addressed by the open source community since open source software is so widely used, KubeCon attendees said. Small, single-maintainer projects that are easily compromised often make their way into larger, more popular packages as dependencies. Open source projects also currently lack mechanisms to prove that they and their dependencies are free of security vulnerabilities and malicious code.
“This is really scary because there’s nothing in the process of the software supply chain that [shows up as] ‘wrong’ per se, like you coming in and taking over a small library and adding it to a production project,” said Harrison Katz, senior software engineer at website building and e-commerce company Squarespace, in an interview. “The problem is, suddenly you become malicious and maybe this new dependency makes it all the way upstream to really large packages that are [popular].”
Industry consortia such as OpenSSF can sometimes amount to more of a marketing campaign than an effective technical initiative, Katz acknowledged. But there have also been examples of open source, public-good community efforts that have effectively improved cybersecurity, such as OpenSSL, a software library now used to secure network communications by a majority of websites.
“There’s [incentive] for open source companies and projects to say for themselves, ‘Hey, you can trust our supply chain. This is how we audit it. Here are the guidelines we’re following. Here’s how you can check that we’re following them yourself,'” Katz said. “Even if you know that you can trust just the top five [most popular projects] and the dependencies underneath them, that’s a competitive advantage for those projects and the companies behind them.”