source security, such as securing critical projects, and identifying security threats in open source projects, and supply chain integrity. These working groups soon bore invaluable fruit in the form of key projects. The Alpha Omega project partnered with open source software project maintainers to systematically find and fix undiscovered vulnerabilities in open source code while focusing on supporting better open source security standards and practices. Recently, the Alpha Omega project committed $300,000 to bolster the Node.js security team and vulnerability remediation efforts through the end of 2022.
Sigstore, another OpenSSF project, has seen a meteoric rise in adoption throughout the open source ecosystem as the new standard for developers and software maintainers to sign, verify, and protect software without needing to manage keys. The project, which was modeled after the success of Let’s Encrypt, will help improve the open source software supply chain by easing the adoption of cryptographic software signing backed by transparency log technologies. Originally developed within Red Hat, sigstore was later donated to OpenSSF to ensure vendor-neutral services could be run. Today, sigstore has been adopted by open source communities such as Kubernetes and is under review to be selected by GitHub to protect the NPM ecosystem, the JavaScript package manager upon which billions of websites rely.
Open source projects like Alpha Omega and sigstore showcase the progress that is being made to improve security using open source software, but there is more work to be done. To protect themselves from cyberattacks and data loss, many software vendors, academic institutions, and public organizations are doing their best to keep up with dynamic security, compliance requirements, and risk management processes. Security teams are being challenged with integrating and automating technologies and products, addressing skills and talent gaps, and keeping up with rapidly changing security concerns—and doing so with limited time and resources. As a result, many organizations are incorporating open source security tools, such as chains of custody, software composition analysis (SCA), and a standard software bill of materials (SBOM), into their security playbooks.
Per the United States Department of Commerce’s National Institute of Standards and Technology, chains of custody track the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date and time it was collected or transferred, and the purpose for the transfer. Maintaining a chain of custody is essential, especially in open source projects as they are inherently decentralized.
SCA identifies the open source software in code in order to assess security and code quality. This automated process was developed after manually tracking open source license limitations and obligations became too laborious and time consuming. Tracking manually also resulted in overlooked code and by extension, its vulnerabilities. Implementing SCA allows developers and security teams to enhance productivity without sacrificing security.
Standard SBOMs can provide an itinerary of a software’s provenance and point of origin and allow any component of the software supply chain to gain insight into the risks presented by other reliant pieces of software in the form of known vulnerabilities, integrity of the contents, and non-repudiation around the author or the source of the software. Once these component parts are orchestrated and the industry aligns on tool sets and formats, we will have a far greater insight into the software supply chain.
While the open source software ecosystem has grown substantially, the evolution we’ve seen in threats to the integrity of our supply chain only compounds the importance of nurturing open source projects and communities dedicated to mitigating security risks. Industry leaders must continue to play active roles in these communities, whether it is as a contributor, developer, project lead, or user, to accelerate new solutions to current and future threats.