Python Foundation warns EU Cyber Resilience Act will sink Open Source
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the newest headlines from around the world, curated by the team at ReversingLabs . This week:?Python Foundation rings alarm on proposed EU Cyber Resilience Act. Also: Hijacking Arch Linux packages with GitHub repo-jacking.
This Week’s Top Story
The Python Software Foundation last week added its voice to a growing chorus of influential open source groups and developers concerned about language in the proposed EU Cyber Resilience Act (CRA). In a statement on its website, the Foundation said on April 11 that it had reviewed the proposed Cyber Resilience Act and Product Liability Act, and found issues that “put the mission of our organization and the health of the open-source software community at risk.”
The CRA is part of an EU-wide effort to raise the bar on the cybersecurity of software used by businesses and consumers - so called “products with digital elements.” However, open source organizations and publishers are worried that the draft regulations don’t adequately protect them from cumbersome regulations and lump not for profit free software providers in with for profit software makers.?
“We’re concerned that some of the current proposed policy language doesn’t make things clear enough for an ecosystem like Python’s,” the Foundation wrote . For example, under the current CRA language, the Python Foundation could be held financially liable for any product that includes Python code, even though the Foundation never received any monetary gain from the use of it by a third party. “The risk of huge potential costs would make it impossible in practice for us to continue to provide Python and PyPI to the European public,” the Foundation said.?
The Python Foundation’s criticisms echo those of The Eclipse Foundation, another major open source publisher, the Open Source Initiative (OSI), The Linux Foundation and others . The groups complain that the draft rules fail to appreciate the decentralized nature of software development, and apply a security model more appropriate to an ecosystem with a small number of large, for profit organizations making software. If implemented as written, the groups warn, the CRA could wreck a thriving open source community while failing to make software more secure.?
“The security of languages like Python depends on the continued availability of a neutral, non-commercial entity that can act as a clearinghouse for new software, improvements, and bug fixes that can be shared freely by the entire software community,” the Foundation wrote. “Leaving individual and/or under-resourced developers in a legally murky position when contributing to public repositories like the Python Package Index would almost certainly create a chilling effect for them…The user improvements and shared security benefits of global software collaboration would only be accessible to those developers working on behalf of a few large companies. Growth and innovation would be stifled.”
News Roundup
Here are the stories we’re paying attention to…
In 2022, Google announced its Assured Open Source Software (Assured OSS) service, which regularly scans and analyzes for vulnerabilities in some of the world’s most popular software libraries as a way to prevent supply chain attacks. Now the company is launching Assured OSS into general availability with support for well over a thousand Java and Python packages. Even better: the company says the service will be available for free. ( TechCrunch )
Researcher Joren Vrancken wrote last week about the problem of malicious actors hijacking Arch User Repository (AUR) vulnerable packages by "repo jacking" - that is: re-registering or otherwise claiming expired domains and then posting malicious content in the place of formerly clean open source modules. GitHub, which hosts the most AUR packages, is distinctly vulnerable to repo-jacking in scenarios where a GitHub user changes their username, or deletes their account. The platform "helpfully redirects renamed usernames," Vrancken observes. "Packages will not notice or be notified when the owner of an upstream repository changes their name, leaving them vulnerable." That leaves it up to the package maintainers (and users) to regularly verify the upstream repositories. At the same time, GitHub users are often not aware of all the downstream packages and references pointing to their repositories. This inherent disconnect leaves many AUR packages vulnerable to hijacking. (nietaanraken.nl)
Code security provider GitGuardian has added a new honeytoken module to its platform to help customers secure their software development life cycle and software supply chains with intrusion and code leakage detection assistance. “Our honeytokens look just like any other secret to attackers, tempting them to exploit them for further lateral movement inside the victim’s organization,” Soujanya Ain, a product marketing manager at GitGuardian told TechCrunch. “Rather than allowing access to a customer’s actual resources, they act as tripwires that reveal information about the attacker.” ( CSO Online )?
领英推荐
SPDX is a standardized format for expressing SBOM data developed transparently over more than 10 years in an open source, multistakeholder community. SPDX is the only recognized international open standard (ISO/IEC 5962:2021) and defines the structure and format of an SPDX document, including the particular fields and data values to enable the interchange of software metadata in a format that is both machine-readable and human-readable.To help software distributors create an SBOM that complies with NTIA requirements, SPDX contributor Steve Winslow has written a technical HOWTO on how SPDX 2.x supports the NTIA minimum elements for an SBOM. It provides several examples of creating an SPDX SBOM that complies with NTIA requirements using different methods. ( The New Stack )
Lineaje Data Labs analyzed 41,989 open-source components embedded in the top 44 popular projects of the Apache Software Foundation across its last three versions. The analysis revealed that 68% of dependencies are on non-Apache Software Foundation open-source projects. These dependencies make even Apache Software Foundation’s integrity and inherent risk only as strong as the weakest component it embeds. With direct dependencies accounting for only 10%, the remaining 90% are transitive dependencies, which are not easily visible to developers selecting these packages. This creates an opaque and deep software supply chain invisible to developers. ( VentureBeat )
In such a vulnerable, uncertain, and heavily regulated environment, there is now a critical requirement for proper API security that can discover, monitor, and predict vulnerabilities while fixing them before they spread through a network. This comprehensive and dedicated API security needs to "shift left" and start life from the beginning of the software development lifecycle, but "lean right" -- emphasizing active and real-time protection. ( BetaNews, Inc. )
All the players in the supply chain—including procurement and enterprise risk management teams–must communicate and coordinate their efforts effectively. Often, this does not happen. Technology such as advanced analytics is needed to identify potential supply chain failure points. But technology alone cannot avert risk. Third parties need to work together to assess risk and put risk management control measures in place so that organizations can avoid costly disruptions. ( Security Boulevard )
Resource Round up
April 19th Webinar:?Why Traditional App Sec Tools Fail At Software Supply Chain Security
Eighty-plus percent of surveyed companies believe traditional SAST, DAST, & SCA technology don't fully protect them from software supply chain threats. This session discusses the reasons these analyses alone cannot provide effective risk management and breach response.
[Register ]
In the latest episode, Matt Rose, Field CISO, ReversingLabs, quantifies the various use cases surrounding software supply chain security (SSCS): Home-grown apps, third-party risk management (TPRM), mergers and acquisitions, and cybersecurity insurance.
[Watch Now ]
On Demand: Deconstructing 3CX - Red Flags, Misses and How to Address the Software Supply Chain Threat
ReversingLabs Co-Founder/Chief Software Architect Tomislav Pericin and Field CISO Matt Rose delve into the details of the explosive software supply chain attack experienced by 3CX, a provider of enterprise voice over IP (VOIP) solutions. Beginning on March 22nd, 2023, it was discovered that 3CX had released and distributed malware-compromised versions of its 3CXDesktopApp desktop VoIP client directly to customers.
[Watch Now ]