2022: The Year of Open Source Security Progress
With the 1-year anniversary of log4j upon us, it’s pretty remarkable to look back on that dark place we found ourselves in a year ago, and all the great work that’s been accomplished by so many in the open source community since.
I think what’s really become evident to everyone (that didn’t already know) is that software supply chain security isn’t unique to open source…but open source IS uniquely positioned to address it.
Last week at Open Source Summit Japan, I enjoyed connecting with our community, and celebrating the wins we’ve seen in open source security over the past year. So I wanted to share some of the highlights from my talk, “From Log4shell to OpenSSL: Reflections on a year of OSS Security”:?
Standards and Legislation — In 2022 there was a huge push in the U.S. and around the globe to better address the security of open source. The White House held several meetings, there was the new Securing Open Source Software Act in the Senate, and open source and supply chain security showed up as key issues across all kinds of legislative and regulatory efforts. Looking back--at Heartbleed, for example--this isn’t a new problem, but it’s unusual and great to have the government this concentrated on trying to fix it. And while it's not perfect yet and much is up for debate on how legislation and regulation is shaped in this space, the one thing that’s for sure and open source is here to stay, so let’s make it stronger together.?
Resourcing and Tooling — There was a huge amount of work done -- by the Linux Foundation in particular -- to introduce new resources and developer tooling. Examples include SPDX being accepted as a formal ISO standard and the push to SPDX 3.0. Major projects started to use SPDX—Kubernetes for example now ships SPDX SBOMs for all the code in official K8s releases, and that was an undertaking. Establishing OpenSSF is a big win for the industry--it already has over 100 members and has raised tens of millions of dollars to build out more tooling, frameworks and standards and direct resourcing to critical projects that need funding and help. The CNCF Technical Advisory Group for security launched a working group dedicated to supply chain and open source security, and published a whitepaper and key reference architectures this year. The Continuous Delivery Foundation is working on a supply chain security maturity model — separate from a reference architecture — focused on helping developers figure out where they are in the journey and what they need to do to take immediate steps.?
The Rise of Sigstore as a De Facto Signature Method for Software Artifacts -- On the infrastructure side we’ve seen projects like Sigstore declare general availability earlier this year and onboard dozens of critical projects, and the majority of all major language ecosystems commiting to use its technologies, including Ruby, Python, Node, Java and more, making it one of the fastest adopted open source security projects in history. Sigstore has made signing, verifying and protecting software much more developer-friendly, and become the free “wax seal” of authenticity that is so critical in the bedrock of software supply chain security…a critical layer that must exist for SBOMs to jump from theory to practice.
The Push for MFA — In 2022 we saw a surge of support for other technologies that help secure the supply chain by default and remove entire classes of attacks--particularly phishing and credential theft--by using multifactor authentication and hardware tokens, and requiring those for maintainers in critical projects. We saw most package registries start to require that this year, driven by a bunch of work within the OpenSSF. NPM, PyPi and GitHub are now requiring MFA for contributing and uploading packages, and MFA adoption overall is snowballing to the point of common practice across most developer use cases.
Memory Safe Languages -- 2022 also saw a push to memory safe languages. Government organizations like the NSA, ODNI and CISA are now encouraging the use of memory safe programming languages for all new technology. The Internet Security Research Group (ISRG) has an initiative called Prossimo to help fund rewrites and incremental infrastructure improvement. That culminated earlier this year in the Linux kernel merging support for Rust as a language supported upstream in the Linux kernel, removing a class of vulnerabilities that account for the majority of Linux exploits.
领英推荐
What’s This All Add Up to?
No doubt, we’ve still got a lot of work to do with open source security in 2023 and beyond.?
One key area I believe we’ll see a lot of progress in is in the gray area between SBOMs in theory, versus what it takes for developers to use them in practice. We all seem to agree that SBOMs are still aspirational, but now that we have a bedrock of software signing with Sigstore, and that new layer of metadata shared in the Public Transparency Log--I think we’re going to see real world SBOM reference architectures mature dramatically, so hold your hats.
Another area that still needs work is rethinking the CVE and vulnerability industry approach. The CVE model still fails to acknowledge open source or even source code--it only refers to CVEs in products, which makes them hard to track. If there’s a critical vulnerability in an open source library, it’s a crazy graph relationship that’s going to show up in tons of products. The CVE’s got it backwards, and that desperately needs to be addressed by the security industry.
We’re all very familiar with this meme that describes the dearth of support that critical open source infrastructures receive:
When we apply the meme to software supply chain security progress made in 2022, I think what it really boils down to is that the world’s 20 million+ developers worldwide are finally getting the toolchain they need to help make software -- particularly open source software, which makes up 98% of the world’s software -- secure by default. Tens of millions of developers, armed with built in-methods for creating signatures and provenance for software artifacts is a big deal, applied to a software supply chain security problem that only a year ago was still a new concept to many:
2022 has been a wild ride, and it’s been great fun working with so many slices of private and public sector, specific OSS projects and maintainers, and so many other groups that are passionate to make these advances in software supply chain security.?
Open source has become the foundation of how we build software and it can be found in nearly every application used today. This isn’t the early 2000s anymore and the Microsoft-style anti-OSS FUD is gone. Open source is our digital future. We no longer need to debate its merits, but instead should look ahead and recognize the unique benefits open source provides, and use those to improve the security of our digital society.?
What did I miss? I’d love to hear any other progress others would point to in open source security in 2022, and apologies in advance for anything I forgot to mention. And if you’re curious about where we may be headed in 2023, the Chainguard team shared some fun predictions on our blog today.
Kubestronaut Securing the Software Supply Chain
1 年What do you think about the current tooling in the CI space? I don’t include CD in that because of things like FluxCD etc that tend to handle that pretty well. But I’ve always thought the tools that builds the artifacts that we ship tend to be a little short when it comes to the secure supply chain part. I’m a big fan of Tekton, especially the Chains component (and they’ve really got the event based stuff down) but I really can’t see any other tool rivalling what it offers right now (the Chains part - unless I’m unaware of another Tekton Chains like tool that’s also open source out there), and what makes it slightly harder to adopt is the fact that you could somewhat argue it’s not developer friendly in that it’s not got a nice easy to learnt DSL. welcome your thoughts. :)
OSS developers of the world, unite!