TechnologyGithub Moves to Guard Open Source Against Supply Chain...

Github Moves to Guard Open Source Against Supply Chain Attacks


Following the 2020 SolarWinds cyberespionage campaign, in which Russian hackers slipped tainted updates into a widely used IT management platform, a series of further software supply chain attacks continues to highlight the urgent need to lock down software chains of custody. And the issue is particularly pressing in open source, where projects are inherently decentralized and often ad hoc endeavors. After a series of worrying compromises to widely downloaded JavaScript software packages from the prominent “npm” registry, which is owned by GitHub, the company laid out a plan this week to offer expanded defenses for open source security.

GitHub, which itself is owned by Microsoft, announced on Monday that it plans to support code signing, a sort of digital wax seal, for npm software packages using the code-signing platform Sigstore. The tool grew out of cross-industry collaboration to make it much easier for open source maintainers to verify that the code they create is the same code that ends up in the software packages actually being downloaded by people worldwide.

“While most npm packages are open source, there’s currently no guarantee that a package on npm is built from the same source code that’s published,” says Justin Hutchings, GitHub’s director of product management. “Supply chain attacks are on the rise, and adding signed build information to open source packages that validates where the software came from and how it was built is a great way to reduce the attack surface.”

In other words, it’s all about creating a cryptographically verified and transparent game of telephone. 

Dan Lorenc, CEO of Chainguard, which co-develops Sigstore, emphasizes that while GitHub isn’t the only component of the open source ecosystem, it’s an absolutely crucial town square for the community because it’s where the vast majority of projects store and publish their source code. When developers actually want to download open source applications or tools, though, they typically go to a package manager 

“You don’t install source code directly, you usually install some compiled form of it, so something has happened in between the source code and the creation of the package. And up until now, that whole step has just been a black box in open source,” Lorenc explains. “You see the code and then go and download the package, but there’s nothing that proves that the package came from that code or the same person was involved, so that’s what GitHub is fixing.”

By offering Sigstore to package managers, there’s much more transparency at every stage of the software’s journey, and the Sigstore tools help developers manage cryptographic checks and requirements as software moves through the supply chain. Lorenc says that many people are shocked to hear that these integrity checks aren’t already in place and that so much of the open source ecosystem has been relying on blind trust for so long. In May 2021, the Biden White House issued an executive order that specifically addressed software supply chain security. 



Original Source Link

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

FIRST LOOK: VA Hampton Roads Community Based Outpatient Clinic

To meet the needs of one of the fastest-growing veteran populations in the country, the U.S. Department of...

Rachel Maddow Chillingly Exposes What Is At Stake In The Midterm

Rachel Maddow explained that election-denying Republicans want to stay in power without having to serve you and your...

NASA’s DART spacecraft just smashed into an asteroid — on purpose

Mission control rooms rarely celebrate crash landings. But the collision of NASA’s DART spacecraft with an asteroid was...

Hurricane Ian Threatens More Than 1 Million Homes Along The Florida Gulf

Slow-moving Hurricane Ian puts more than 1 million homes along the Florida Gulf Coast at risk of storm...

Photos Show Widespread Protests In Iran Over Kurdish Woman’s Death

The world is watching as Iran erupts into protests over the death of a 22-year-old Kurdish woman who...

Hannah Gadsby Has Signed A New Deal With Netflix To Hopefully Change The ‘Notoriously Transphobic Industry’

"In an effort to further open a door that I had to fight to get through myself, I...

Must Read

Top 5 Fastest-Growing Cities in Wisconsin

When you think of Wisconsin, you may think...

Hurricane Ian Blows Back NASA’s Artemis Launch

NASA’s team leading the Artemis program of lunar...
- Advertisement -

You might also likeRELATED
Recommended to you