Open source security has always been important, but we used to pretend to deny it. We can no longer afford to be lazy.
Translated from 2023: The Year Open Source Security Supply Chain Grew Up by Steven JVaughan-Nichols alias SJVN, has been writing about technology and the business of technology, starting with the CP M-80 to the cutting-edge PC operating system, the 300BPS to the fast internet connection, and the wordstar to become the most advanced word processor. Open source security is now critical not only for developers, but also for ** and top companies.
Open source security has always been important. We just pretend we don't care. We can no longer be extravagantly lazy. Now, the U.S.'s Cybersecurity and Infrastructure Security Agency (CISA) Open Source Software Security Roadmap has announced that we must ensure the security of open source software. And it's not just at the national level. In the European Union (EU), the Cyber Resilience Act (CRA) is rapidly requiring software to disclose software vulnerabilities within 24 hours and provide a minimum 5-year patch support guarantee. The latest version of the CRA is a bit relaxed on open source software. It announced:"In order not to hinder innovation or research, free and open source software developed or made available outside of commercial activity shall not be subject to these Regulations. "I'm not a lawyer, but I cover open source legal issues, and there are enough vague words in it to worry about open source developers.
Linux will worry about Gabriele Columbro, Europe's chief executive"In order to prevent liability, open source projects may be banned from the EU or issued a statement not to approve use in the EU". So, why is ** suddenly so worried about open source security?The reason is simple, they have finally realized the importance of software security to overall security.
Decades ago, one of the founders of open source, Eric S. RaymondRaymond famously coined Linus's Law:"As long as there are enough eyeballs, all the holes are shallow. "It makes you feel that open source security is very warm and comfortable, doesn't it?There is a corollary, though. In order for Linus's Law to work, you need the eyes of experts to look for loopholes, and you need hands to patch them. We can't do this well enough. This is a real problem because, as security firm Synopsys says in its 2023 Open Source Security and Risk Analysis Report,"Open source is everywhere"and it is"The basis of the vast majority of commercial ** libraries. In fact, it's so intertwined with modern development that owners are often unaware of the open source components in their software. "Alas.
As reported by Synopsys,"The first step in securing the software chain is to manage open source and third-party in your application. If you can't effectively manage and secure your open source and third-party software, any other efforts you make to secure your chain will be null and void – or, frankly, even irrelevant. "
Synopsys is not wrong. This is where the open source software security community has been raising its level lately.
The rise of the Software Bill of Materials (SBOM), pronounced S-Bomb, provides the foundation needed to build the best security defenses. As announced in Joe Biden's executive order on improving the nation's cybersecurity, the SBOM is "the official record that contains details and chain relationships of the various components used to build the software." SBOM includes Package Data Exchange (SPDX), CyclonedX: GitHub's dependency commit formatand the Kubernetes Bill of Materials (KBOM) standard for the Kubernetes Security Operations Center (KSOC). However, in order to protect the integrity of open source software artifacts, SBOM is not enough. This is where supply-chain levels for software artifacts (SLSA) come in. Specifically, SLSA 10 provides: a common vocabulary for discussing the security of software chains.
One way to evaluate upstream dependencies is to assess the trustworthiness of the artifacts you use, such as sources, builds, and container images.
A checklist of actions you can take to improve the security of your own software.
A way to measure your efforts in complying with the upcoming Secure Software Development Framework (SSDF) standards. Brian Behlendorf, managing director of OpenSSF, emphasized that the SLSA provides organizations with "the tools they need to protect their software." My simple description of SBOM and SLSA is that SBOM is the recipe and SLSA is the cooking instructions for the program.
So, how do you know what's really going on in these recipes?That's where sigstore, an open-source software signing service, comes in. With sigstore, you can cryptographically sign publish files, container images, and binaries. Once signed, the signature record is saved in a tamper-proof public log. This provides a more secure chain of custody for software artifacts that can be traced back to their source and protected. To make it easier to use SigStore, Craig McLuckie, one of the co-founders of Kubernetes, co-founded a new company, Stacklok, which is built on top of SigStore. It has two projects, Trusty and Minder. The former is a free service that provides a comprehensive assessment of the dependency risk of a software package. The latter is a platform for library creators to automate and perform artifact signing and verification across multiple repositories. The Open Source Security Insights Specification (OpenSSF) is another open source project that has recently been added to security. It provides a mechanism for maintainers to provide information about their project's security processes in a machine-processable manner using YAML. With this, you don't need to rewrite or relocate existing policies and documents. They can be integrated directly into the specification. While most of the major security improvements in 2023 are geared towards software chains, there are other significant developments. One of them is the rise of exploit potential swaps (VEX) and its open-source implementation, OpenVex. This technique is used by companies such as Anchore, Chainguard, and Microsoft to record the status of software vulnerabilities. For example, with OpenVex, instead of wasting time creating electrons to track vulnerabilities, vulnerabilities can be logged and then used by open-source vulnerability scanners to reduce the pain of managing vulnerabilities and reduce the burden of false positives. But just because we have these tools doesn't mean we're going to use them. In its 2023 Software Security Survey, developer security firm SNYK found that despite the record number of cyberattacks against open source, 40% of respondents still don't use critical chain security technologies. Of course, the company knew there was a problem, but SYNK found that they were addressing the ** chain security issue on an ad hoc basis. Only half of the companies have a formal chain security policy.
Our security mission for 2024 is clear. We have to adopt these software chain security tools and start using them as part of our toolchain.
Sounds simple, doesn't it?But that's not the case.
One reason why this is difficult is that we nowhere near enough IT security staff. As the International Information Systems Security Certification Federation (ISC2) recently noted, we currently lack 4 million cybersecurity experts to support the global economy. What should companies that use open source** do?First, as Bobby Ford, chief security officer at Hewlett-Packard Enterprise (HPE), observed"People think of cybersecurity as a highly technical thing. Yes, some roles do require deep technical expertise, but cybersecurity is a huge field, and making an organization cyber resilient also requires generic roles, which require a broader skill set. "
As a result, 95% of cybersecurity professionals believe that "more can be done to encourage more employees to join cybersecurity-related roles." You probably already have someone in your company who is ready to help keep your software secure. In addition, research shows that 70% of cybersecurity workforces feel overworked, and 25% of cybersecurity leaders will change jobs due to multiple job-related stresses. In short, we need a lot more people, much more than we do now. This means spending more time and energy on safety education in the future.
It also means automating security as much as possible. By educating and automating our security, we can build on the progress we made in 2023 on the progress of security standardization and future-proof ourselves for the future. Considering the risks, this isn't just a good idea, but a necessity.