Organizations hosting significant parts of the open source software supply chain continue to adopt security measures that give developers and maintainers more tools to harden their projects against attacks and malicious code commits.
On Monday, GitHub announced that the company — which owns and maintains the Node Package Manager (npm) service — had called for developers to comment on a plan to adopt sigstore, which simplifies the signing of code components produced by projects as well as linking them back to the source code. The sigstore project has made digitally signing source code easier because individual maintainers no longer have to manage their own cryptographic infrastructure.
The technology service allows software developers to confirm what code has been used to generate a particular software application or component, says Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSF), which maintains sigstore with the Linux Foundation.
“The assembly of components into software platforms and applications — all of that has been done with the same kind of security we had on the Internet before TLS [Transport Layer Security], frankly,” he says. “We depended on a not necessarily misplaced but high degree of trust that the infrastructure just did things for us or that there were not bad actors out there.”
The proposal is the latest effort to make tools available to developers to secure the software supply chain. GitHub’s npm, the Python Package Index (PyPI), and others have already urged developers to adopt two-factor authentication (2FA) to secure their accounts to prevent a compromise through a simple credential-based attack. GitHub, for example, has already moved the top 500 most-popular npm projects to 2FA and plans to require the security technology for any project with more than a million downloads per week.
Adopting digital signing of software packages is another critical step. In March, software security firm Sonatype announced it had “every intent to adopt sigstore as part of the Maven Central platform.” Maven is the most popular source of Java software components and is maintained by Sonatype. PyPI has a specification called The Update Framework (TUF) that calls for digital signing of software packages, and the repository has a sigstore module under development.
The ability to attest that a program or executable came from a certain source code repository is an important step in securing the software supply chain, Justin Hutchings, director of project management for GitHub’s security features, wrote in the blog post.
“When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository,” Hutchings said. “Historically, linking packages back to the source code has been difficult because it required individual projects to register and manage their own cryptographic keys.”
GitHub acquired the Node Package Manager (npm) in 2020.
SBOMs and “Salsa”
The ability to sign code is fundamental to supply chain security. For example, a software bill of materials (SBOM) is a way to communicate to developers and security tools the components that make up a software project. Determining what software components and libraries are used in modern software projects is not always straightforward. Already, the US government has created requirements that any software sold to a federal agency needs to have an SBOM, but only a third of companies currently use SBOMs.
Another initiative, the Supply Chain Levels for Software Artifacts (SLSA), pronounced “salsa,” provides developers and application security managers with a road map for securing software projects and communicating the software provenance.
“You need to have integrity, and you need to understand the quality — SLSA is really around that integrity part,” says Kim Lewandowski, one of the original creators of SLSA and a co-founder at Chainguard, a software security firm. “A developer knows they’re getting this piece of software that is built around these dependencies and these are the [software] artifacts that went into it.”
Sigstore works because the technology makes signing code much easier for developers. OpenSSF’s Behlendorf likens the platform to the Let’s Encrypt service, which makes the keys for securing websites freely available and easy to deploy. Making any security technology easy to use is critical, he says.
“Greater security in open source software is going to come, not just by helping people write better code,” he says. “It is not just going to come from a lot of people finding zero-days, and getting those fixed and fixes pushed out. It is going to come from having tooling that will make having better security throughout the supply chain a ‘zero lift’ for developers. If they even have to have a feature flag turned on, that is too much.”