According to the RSA Conference organizers one of the most intriguing topics of discussion observed in this year's RSA Call for Submissions Trends Report was on open source software security. This comes as no surprise to me given all the attention open source has received over the past year from events like log4j to legislation in the form of the Open Source Software Act.
In recent years, open source software (OSS) has become a vital component of modern software development, powering everything from mobile apps to enterprise applications. However, it has also become a prime target for cybercriminals seeking to exploit vulnerabilities in OSS components. In response, the OSS community has been focusing on improving supply chain security to prevent such attacks.
Last year's log4j exploit, which affected millions of systems worldwide, highlighted the need for increased regulatory oversight of the OSS ecosystem. In response, organizations and open-source projects have been implementing measures to improve security and build trust in the software supply chain.
I think what’s really become evident to everyone (that didn’t already know) is that software supply chain security isn’t unique to open source…but open source IS uniquely positioned to address it.
Several significant events have taken place in the OSS security space in recent weeks, demonstrating the growing recognition of the need to address vulnerabilities in the software supply chain.
NPM and Sigstore Beta
NPM, the world's largest package repository for Node.js, recently added support for package provenance in its publishing process as part of its new program on supply chain security. This feature allows users to trace the origins of binary packages they use back to trusted build systems that build them from source, enabling greater transparency and trust in the software supply chain. This new feature builds on Sigstore, an open-source initiative launched last year by the Linux Foundation to provide cryptographic signing and verification for software artifacts. Other notable projects, including Kubernetes and Python, have also adopted Sigstore to enhance their security.
PyPI and OIDC
Another significant development is the addition of support for trusted publishers in PyPI, the package repository for the Python programming language. This feature allows maintainers to use OpenID Connect (OIDC) credentials to publish to PyPI instead of long-lived credentials, reducing the risk of stolen credentials.
OIDC is an authentication protocol that was developed in 2014 as an extension to the OAuth 2.0 framework. It was designed to provide a standardized authentication layer for web applications, mobile apps, and APIs, simplifying the process of securely verifying a user's identity. Recently, the adoption of OIDC has surged in the development community, as projects are finally realizing the need to move away from bearer tokens and long-lived credentials.
PyPI’s adoption of the OIDC protocol makes it easier for maintainers to publish packages securely and reduces the risk of stolen credentials, giving end-users increased trust in the software artifacts they download from PyPI.
SLSA 1.0 and CNCF Projects
The OpenSSF (Open Source Security Foundation) recently announced the 1.0 release of the SLSA (Supply Chain Levels for Software Artifacts) specification, providing a framework for trusted build systems that underpin all software development today. This framework aims to promote transparency and trust in the software supply chain, enabling users to verify the provenance and integrity of software artifacts. Moreover, this same week, the CNCF (Cloud Native Computing Foundation) announced successful SLSA assessments for some of their largest projects, including Prometheus and Argo. The CNCF is home to some of the most critical projects in cloud computing today, and this new program helps maintainers secure not just the project code itself but also how it’s delivered to end-users, thus boosting the trustworthiness of these projects.
Together, these developments represent a significant step forward in enhancing the security and reliability of the OSS ecosystem. They demonstrate a growing commitment to supply chain security and a recognition of the need to address vulnerabilities in the software supply chain. As regulatory oversight increases, it is likely that we will see more initiatives aimed at improving OSS security, which can only be a positive development for the industry as a whole.
The recent events in the OSS security space illustrate a growing trend towards securing the software supply chain. These initiatives demonstrate the OSS community's commitment to building trust in software components and addressing vulnerabilities that cybercriminals could exploit. By implementing these measures, the OSS ecosystem can become more resilient and secure, ensuring that open source software remains a vital and trusted component of modern software development.
If you are attending the infamous RSA Conference this week, I encourage you to attend Mike Hanley’s session on Wednesday April 26 “Securing the World’s Open Source Software, Together”. Mike will examine the state of open source security and why more must be done, collectively, to secure the world’s open source software together.