Open Source Software Supply Chain Security — Why does it matter

Introduction

Good morning everyone! My name is Michael Barbell, and I am the Head of Security at Equip Solutions. Today's discussion revolves around a crucial topic: security, focusing specifically on open-source software and supply chain security.

Importance of Security

It may not come as a surprise that the realm of cybercrime operates on a massive scale. Currently, if cybercrime were to be classified as a country, it would rank as the third-largest economy globally, following China and the United States. Projections indicate that by 2025, the total damages from cybercrime could amount to an astonishing $ 10.5 trillion.

This denotes a steep inclination, which we must be cognizant of as we strategize against adversaries in this domain. A noticeable shift in the profile of attacks shows an increase in supply chain attacks over traditional approaches, with supply chain attacks rising by an average of 742% in the last three years.

The Shift in Targeting

To comprehend this shift, we can reflect on the infamous SolarWinds attack. SolarWinds' Orion software was compromised for over six months, affecting 95% of Fortune 500 companies and even several U.S. agencies, illustrating how dangerous supply chain vulnerabilities can be.

The attack was successful primarily because it targeted the build system of SolarWinds, managing to alter software without raising any suspicion from users. Compromised software flowing through the supply chain leads to a broad impact that is both harder to identify and mitigate.

Open Source and Supply Chain

Open-source components are integral to about 90% of all software, including proprietary systems. Therefore, addressing supply chain security isn't just an issue within the proprietary realm; it's a widespread, industry-wide concern.

The complexities nested within the software supply chain extend across multiple layers, posing various threats. Understanding these threats becomes imperative as every dependency can also be tied to its own supply chain.

Recent Attack Examples

Several recent incidents illustrate the magnitude of these threats:

1. Hypocrite Commits: Researchers demonstrated that vulnerabilities could be hidden within the code to test the robustness of code review processes.

2. UA Bursar JS Incident: Authored by Faisal Salman, the library experienced a takeover by a threat actor who utilized compromised credentials to push malicious updates.

3. Personal Vendettas: Developers have also abused their positions. An individual altered a widely-used project to reflect political views, representing personal risks in relying on single-maintainer projects.

These examples highlight the need for comprehensive code reviews, two-factor authentication, and robust governance practices.

The Role of the SLSA Framework

In mitigating supply chain security risks, the SLSA (Supply Chain Levels for Software Artifacts) framework offers a pathway to implement best practices for improving supply chain security. Adopting this framework can facilitate organizations in systematically addressing vulnerabilities through gradual improvements.

Conclusion

At Equip Solutions, our vision encompasses assisting projects in implementing best practices while minimizing the burden on developers. By collaborating with various initiatives and organizations, we strive to develop tools and services that foster safe open-source usage.

Keywords

• Supply Chain Security
• Cyber Crime
• Open Source
• SolarWinds Attack
• Vulnerabilities
• SLSA Framework
• Best Practices
• Code Review

FAQ

Q1: Why is supply chain security important?
A1: Supply chain security is vital because vulnerabilities can lead to significant breaches affecting numerous networks and organizations. Attacks like SolarWinds highlight this risk.

Q2: How prevalent are open-source components in software?
A2: Open source comprises about 90% of all software, making it integral to both open-source and proprietary software systems.

Q3: What can organizations do to mitigate risks?
A3: Organizations can implement robust code reviews, maintain two-factor authentication, and adopt the SLSA framework to strengthen their supply chain security.

Q4: What is the SLSA framework?
A4: The SLSA framework assists organizations in implementing best practices for software supply chain security, emphasizing gradual, impactful changes.