Attackers are increasingly targeting software supply chains (the processes, repositories, and toolchains used for developing and delivering software). The European Union Agency for Cybersecurity, ENISA, estimated in “Threat Landscape for Supply Chain Attacks” that there would be four times as many software supply chain attacks in 2021 as compared to 2020. The report states due to “…more robust security protection that [many] organizations have put in place [today], attackers successfully shifted towards suppliers.”
Governments around the world have noted and responded to this growing risk to the software supply chain. In May 2021, the US released an Executive Order on Improving the Nation’s Cybersecurity to enhance software supply chain security, including providing software purchasers with a Software Bill of Materials (SBOM). Similar efforts are underway around the world.
In 2021, our communities rose to the challenge of providing tools and best practices for the security hardening of the global software supply chains. Our efforts included launching Open Source Security Foundation (OpenSSF) as a funded project, expanding Let’s Encrypt — the world’s largest certificate authority, ensuring the ISO standardization of SPDX as the SBOM standard, directing funds to identify and fix vulnerabilities in critical open source software, and building new training curriculum to improve secure coding practices.
Community Highlight: OpenSSF
The Open Source Security Foundation (OpenSSF) was elevated to a funded project at the LF in October 2021. The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community, targeted initiatives, and best practices. The OpenSSF premier members include: 1Password, AWS, Cisco, Citi, Dell Technologies, Ericsson, Meta, Fidelity, GitHub, Google, Huawei, Intel, IBM, JP Morgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMWare.
The OpenSSF began many initiatives in 2021, including:
- Security Scorecard: automatically assesses many security-related heuristics to help estimate project security
- Allstar: an automated tool to enforce some security policies
- Security Reviews: collects security reviews of OSS
- Security Metrics Dashboard: provides easy access to security metrics/info about OSS projects
- OSS Vulnerability Guide: a guide to coordinated vulnerability disclosure for open source software projects
- Open Source Vulnerability (OSV) Schema
- Supply-Chain Levels for Software Artifacts (SLSA): security framework for software security and supply chain integrity
- Package Feeds / Package Analysis: analyzes uploaded packages to identify potentially malicious ones
The OpenSSF also continued to refine its existing work, including its free courses on how to develop secure software (over 4,000 registrants combined) and the CII Best Practices Badge Program (over 4,000 participating projects and over 600 passing projects).
Shepherding Software Standards
The Linux Foundation strongly supports efforts to build and drive the adoption of open source standards and infrastructure. These efforts include:
- SPDX — an international standard for representing the metadata for SBOMs (ISO/IEC 5962)
- OpenChain — a standardized process management approach to identify inbound, internal, and outbound open software. It is primarily designed for compliance and has clear secondary use cases in security ( ISO 5230)
- Compliance tooling from Automating Compliance Tooling (ACT) projects (including OSS Review Toolkit, FOSSology, Tern), and the OpenChain reference workflow, being extended to add new use cases.
- Training on software transparency topics, including “Generating an SBOM“
We are thankful for all the participants in the SPDX community. Special thanks go to Gary O’Neall for his work developing the SPDX tooling; this work made it easier for developers across the ecosystem to adopt SPDX in their workflows. Special thanks also go to Steve Winslow and Jilayne Lovejoy for their tireless efforts in maintaining the SPDX License List over the past ten years. The SPDX standard continues to evolve thanks to the tireless efforts of many talented developers, including Alexios Zavras, William Bartholomew, Thomas Steenbergen, and Nisha Kumar.Kate Stewart, VP of Dependable Systems, The Linux Foundation
Establishing Projects and Conferences to Improve Security
In addition to the projects listed earlier, the LF funds various projects to improve open source security. Some notables among them include:
- sigstore — development work on this technology suite to enable developers to sign software artifacts securely. Signing materials are stored in a tamper-resistant public log. (The project is managed by Google, Red Hat, and Purdue University)
- Alpine Linux — vulnerability processing for this security-oriented, lightweight Linux distribution.
- Alpine Linux, Arch Linux — reproducible builds for these two Linux distributions.
- OpenSSH, RPKI — development of infrastructure “plumbing”
- Clang, Linux kernel — compiling Linux kernel with clang and fix warnings found during the compiling process
- Linux kernel — security audits for signing/key management policies and vulnerability reporting modules, respectively)
The LF also fostered approaches to discuss and address supply chain attacks online and in virtual venues, including Building Cybersecurity into the Software Supply Chain Town Hall and SupplyChainSecurityCon.
Community Highlight: Internet Security Research Group
Let’s Encrypt provides the digital infrastructure for a more secure and privacy-respecting Internet. It operates the world’s largest certificate authority, securing traffic for more than 250 million websites.
In late 2020, ISRG launched Prossimo, a project whose goal is to move the Internet’s security-sensitive software infrastructure to memory-safe code. Many of the most critical software vulnerabilities are memory safety issues in C and C++ code. While deploying fuzzing, static analysis, and code reviews can catch vulnerabilities, such mitigations do not eliminate all risks. Moreover, these security mitigation tactics consume considerable resources on an ongoing basis. In contrast, using memory-safe languages eliminates the entire class of issues. This year, Prossimo worked with Linux kernel, cURL, and Apache maintainers to introduce new memory-safe code to these critical, widely-used pieces of software.
ISRG’s latest project effort, Prio, is to operate a privacy-preserving metrics service. Prio uses a system that enables the collection of aggregate statistics such as application metrics. Apple and Google’s Covid-19 Exposure Notification Express app uses this service. ISRG Prio has processed over two billion metrics and is helping operators optimize the user experience based on aggregate, privacy-respecting telemetry metrics.
These standardization efforts are made possible by the OpenSSF, the SPDX and OpenChain projects, and the ISRG.
To learn more about and get involved with OpenSSF, click here
To learn more about and get involved with the ISRG, click here
To learn more about the SPDX SBOM standard, click here
To learn more about the OpenChain standard, click here