Securing the software supply chain together - GitHub Satellite 2020

Introduction

In the dynamic world of software development, the concept of DevOps continues to evolve, with a focus on cultural shifts alongside technological advancements. During the GitHub Satellite event, Maya Khacharovsky, a Product Manager at GitHub specializing in software supply chain security, delivered an insightful presentation on securing the software supply chain.

Understanding the Software Supply Chain

A software supply chain encompasses everything that goes into your software, including:

• The code written by developers
• Open source libraries and frameworks
• Dependencies that must be managed throughout the development lifecycle

Understanding your software supply chain is essential because it directly affects the security of your application. Industry data suggests that a significant percentage of enterprise code bases—between 85 to 97 percent—dependency on open source components. This heavy reliance introduces potential risks, especially when vulnerabilities exist in third-party dependencies.

The Importance of Securing the Supply Chain

Maya highlighted the prevalence of software supply chain vulnerabilities. If any of your dependencies are vulnerable, your code could also be at risk. It’s therefore essential to reduce dependence on unverified code. Over the years, numerous attacks have compromised the integrity of software supply chains. These attacks can involve malicious code insertion, maintainer account takeovers, and the creation of fake packages similar to well-known libraries.

Common Attack Examples

Maya provided examples of significant breaches, such as the event with Gentoo Linux and the Event Stream library. These incidents illustrate how a lack of vigilance in maintaining dependencies can lead to serious repercussions for both developers and end-users.

Strategies for Securing Your Software Supply Chain

To combat these vulnerabilities, GitHub offers various tools and strategies:

1. Dependency Graph: Identifies upstream dependencies and alerts users about vulnerabilities in their projects.
2. Security Alerts: Notifies developers when their repository contains newly discovered vulnerabilities.
3. Dependabot: Automatically generates pull requests for vulnerable dependencies to ensure timely patches.

Developers are encouraged to enable these features to ensure ongoing maintenance of their software supply chain.

Additional Measures

Maya urged maintainers to create a security.md file that outlines their disclosure policy, making it easier for researchers to report vulnerabilities responsibly. This transparency can build trust within the open-source community.

Conclusion

Maya concluded her talk with a strong emphasis on enabling two-factor authentication (2FA) across all accounts. Implementing this simple security measure can significantly decrease the risks of credential leaks and mitigate potential attacks on software supply chains.

Keywords

• Software Supply Chain
• Security
• Open Source
• Vulnerabilities
• Dependabot
• Security Alerts
• Dependency Graph
• Two-Factor Authentication

FAQ

Q1: What is a software supply chain?
A1: A software supply chain includes all elements that contribute to software development, such as the code, libraries, dependencies, and the processes in place for managing them.

Q2: Why is it important to secure the software supply chain?
A2: Securing the software supply chain is vital because vulnerabilities in third-party dependencies can directly affect the security of your own application.

Q3: What tools does GitHub provide to help with supply chain security?
A3: GitHub offers tools such as the Dependency Graph, Security Alerts, and Dependabot, which help identify vulnerabilities and automate patching.

Q4: How can maintainers improve the security of their open-source projects?
A4: Maintainers can create a security.md file outlining their disclosure policy and ensure they promptly publish information about vulnerabilities and their fixes.

Q5: What is the significance of enabling two-factor authentication?
A5: Enabling two-factor authentication adds an extra layer of security, significantly reducing the risk of account breaches and unauthorized access.

Incorporating these measures into your software development practices will foster a more secure development environment and contribute to the integrity of the overall software supply chain.