We’ve just passed the 1-year anniversary of the log4j vulnerability, when this time last year many of us spent the holidays navigating, patching and scratching our heads about what it's going to take to stop the next software security endemic from striking. Today, log4j still lingers on with 72% of organizations still vulnerable, according to Tenable. But in all, it's remarkable to look back on that dark place we found ourselves in a year ago, and all the great work that’s been accomplished by so many in the open source community since.
One thing that’s become evident to everyone (that didn’t already know) is that software supply chain security isn’t unique to open source…but open source IS uniquely positioned to address it. Chainguard CEO Dan Lorenc recapped more thoughts on the ecosystem’s past year in open source software security on LinkedIn today – check it out!
As we get ready to kick off a new year, we asked our Chainguardians to look into their crystal balls to predict what 2023 will hold for software supply chain and open source software security.
SBOMs, more SBOMs and more accurate SBOMs
“SBOMs will dominate in the enterprise, but SLSA and Sigstore will dominate in the open source software communities. Open source is more motivated by concrete threats and mitigations rather than regulation. This will lead to a mismatch in priorities and friction as enterprises focus on SBOMs first.” – Dan Lorenc, CEO & Co-Founder
“Folks are going to start to figure out that not all SBOMs are created equal (bonus: with tooling!) SBOMs are all the rage, but there's been so much focus on HAVING an SBOM that folks aren't looking carefully enough at how well that SBOM reflects the actual contents of the image. So we will (hopefully) start to see more scrutiny of SBOM content (vs. presence) and (hopefully) tooling that helps to ~score SBOM accuracy and coverage.” – Matt Moore, CTO & Co-Founder
“Tooling will finally coalesce to allow doing useful things with SBOMs. Security vulnerability scanners such as Trivy are already gaining support for SPDX 2.3 SBOMs. Other tools such as license compliance tools will, like Trivy, shift away from doing SCA themselves, to consuming and aggregating SBOM data. SBOMs will then, finally, become a universal representation of the composition of software packages. The result will allow users with high quality SBOMs to perform all kinds of analysis on their software packages.” – Ariadne Conill, Principal Software Engineer
“In 2022, people will start looking inside of their SBOMs. As 2022 draws to a close, SBOMs are moving to a new phase. Legislation has driven the initial adoption effort and is now getting accelerated by procurement and compliance in the enterprise. As companies start looking into their bills of material from legal and technical optics, new questions are being asked about what is in them. I think we'll start seeing the rise of new tools to look into SBOMs and assure minimal quality levels of the data and how they describe software. Consumption tooling will also largely shape their contents as more and more people start to read the documents they get and problems parsing and finding data arise.” – Adolfo Garcia, Staff Software Engineer
Increasing adoption of software signatures and the great self-attestation debate
“Sigstore will kill off PGP with the fire of a thousand suns. Ok, probably a little optimistic on my part, but keyless signing, and widespread adoption of digital software signatures across projects like Kubernetes can only grow at this point. Especially since Sigstore is so easy, and PGP is hard.” – Jamon Camisso, Developer Experience Engineer
“The software industry will adopt self-attestations and they will be almost entirely worthless. U.S. federal government agencies will start to require software supply chain self attestations to be produced in 2023. Many vendors will offer a service to create these documents. However, the contents will be so out-of-date or simplified so as to not actually secure anything. Although there is hope that in 2024-2025, agency requirements and vendor products will evolve to make this process useful.” – Adam Dawson, Principal Product Manager
“We’ll see 40M entries in Sigstore’s Rekor, which is the project’s immutable, tamper-resistant ledger of metadata generated within a software project's supply chain. Sigstore has seen exponential adoption since its general availability milestone in October 2022 and we will continue to see the project’s momentum in open source software drive enterprise adoption of Sigstore’s software signing capabilities.” – John Osborne, Software Security Architect
A movement to reduce security debt
“CVE Zero will be the new Inbox Zero. The same way inbox zero became popular to reduce the amount of time your brain is in your inbox, CVE Zero will be the new attitude to reduce the amount of time a developer wastes on CVE. Those who defend leaving CVEs in code will have less to stand on as new tools (like Wolfi) make this easier and the industry moves to take action to get away from noisy security debt.” – Tracy Miranda, Head of Open Source
Software supply chain security awareness 2.0
“I think 2023 will be the great year of software supply chain security awareness. We’re going to continue to see the upward trend of supply chain attacks. Companies in the target zone will put their roadmaps together to limit their risks. I believe one of the top items in these roadmaps will be gaining awareness of the software running in their systems, and understanding where it came from. While software supply chain security has been the hype as of late, I think 2023 is when we're really going to start seeing companies put real effort into safeguarding themselves (and meeting new, impending regulations) and this will start by having awareness of what software they're running and the weaknesses along their supply chains.” – Kim Lewandowski, Head of Product & Co-Founder
OSS Copyright risks and the rise of ChatGPT
“We will start seeing Open Source projects being accused of copyright infringement, generating a legal risk to all users of the software. ChatGPT and copilot are being used to help write code. But these models were trained on existing code and in some cases will copy that code wholesale. Unless carefully vetted, this exposes users to potential copyright infringement claims.” – Adrian Mouat, Product Manager