Keynote: The Next Steps in Software Supply Chain Security - Brandon Lum, Software Engineer, Google

Introduction

Hello, I'm Brandon, and I work on the Google Open Source Security Team. One of our crucial responsibilities involves securing open source software, and a significant aspect of this is supply chain security. This article will delve into the importance of software supply chain security, the current state of the industry, the progress made, and future directions.

Industry Trends and Initiatives

Software supply chain security breaches are on the rise, and the industry has responded with various efforts, working groups, and organizations prioritizing this issue. At the recent cognitive security camp, there was an unprecedented number of submissions on supply chain security, demonstrating the community's commitment.

Key Projects and Efforts

Numerous projects have been launched to tackle different facets of the supply chain security problem:

Build Systems:
- Foundation of Trust: Projects like Six Star, TUF (The Update Framework) help keep signing simple and open.
- Zero Trust: Projects like Spiffy, SPIRE, and Key Lime integrate with the ecosystem.
Software Metadata Standards:
- SLSA (Supply chain Levels for Software Artifacts): Working on their 1.0 release.
- SBOM (Software Bill of Materials): Standards like SPDX and CycloneDX are gaining traction.
Tools and Standards:
- Tools like VEX (Vulnerability Exploitability Exchange) help in assessing vulnerabilities.
- Build Systems: Tecton and OpenSSF's Fresca aid in creating trusted artifacts.

Secure Software Factory Initiative

Tek Security has undertaken efforts to create a Secure Software Factory, providing a reference architecture to show how these components can be put together to produce trusted software and attestations.

From Production to Consumption

While producing secure software is crucial, consuming and making sense of the supply chain metadata is equally vital. Currently, we face challenges in effectively evaluating and utilizing the metadata generated. Questions like "What to do with an SBOM?" and "How many levels deep should we check?" remain largely unanswered.

Challenges and Solutions

Aggregation and Synthesis:
- Combining metadata and intelligently linking them for comprehensive queries.
- Example Projects: GUAC (Graph Understanding Artifact Composition), Deps.dev, and Repology.
Policy and Insight:
- Defining actionable policies such as reactive, preventive, and proactive measures.
- Tek Security's initiative to define what constitutes a secure software supply chain.

Conclusion

Significant progress has been made in producing secure software supply chains. The next steps involve creating easy-to-consume solutions and comprehensive policies. Tek Security is at the forefront of this effort, and community involvement is crucial.

At the next Cognition Security Con, we hope to see more initiatives in policy, aggregation, and synthesis.

Keywords

Software Supply Chain Security
Open Source
Metadata Standards
SBOM
SLSA
Secure Software Factory
Aggregation and Synthesis
Policy and Insight

FAQ

Q: What is the significance of software supply chain security?
A: It's crucial due to the rising number of supply chain attacks which compromise software integrity and security.

Q: What are some key projects in the field of software supply chain security?
A: Key projects include TUF, Spiffy, SPIRE, Key Lime, SLSA, SPDX, CycloneDX, and Tecton.

Q: What is an SBOM and why is it important?
A: An SBOM (Software Bill of Materials) lists all components in a software, helping in vulnerability management and compliance.

Q: What efforts has Tek Security undertaken?
A: Tek Security has created a Secure Software Factory initiative and works on defining what good looks like for software supply chain policy.

Q: What are the next steps for the industry?
A: The next steps include focusing on the consumption side of supply chain metadata, developing comprehensive policies, and community involvement.