This blog is part of a 10-part series that dives into the RSAC 2023 Submissions Trends pulled from our record number of Call for Speakers submissions in 2023. In this blog, we focus on open source.
The SolarWinds attack was the catalyst needed for government and regulatory agencies around the world to open up debate on the best way to secure the software supply chain. At the center of many of the directives was a requirement to produce a software bill of material (SBOM) – essentially a list of ingredients that make up the software product. In May 2021, the U.S. President issued Executive Order 14028 which requires any software product purchased by the federal government to come with an SBOM. In the European Union, the proposed Cyber Resilience Act looks to create a unified set of cybersecurity requirements for hardware and software products that end up in the EU market. The IT-Security Act 2.0 in Germany added new amendments focused on the supply chain.
However, it’s not just governments taking action on the problem. Industry associations and standards bodies have also exerted leadership, providing organizations with frameworks and tools to address cybersecurity risks across the supply chain. Examples include the NIST Guidance for Cybersecurity Supply Chain Risk Management and the Open Source Security Foundation’s OpenSSF Scorecard.
Open-source software and its role in the global software supply chain was at the center of discussion in several sessions at RSAC 2023. In the session, How Do You Trust Open-Source Software, Brian Russell, Product Manager at Google, talked about how the modern digital infrastructure is fragmented with big and small chunks of open-source code throughout. How do you provide more insight on top of that to get a better understanding of what’s working well and where there might be risks?
According to Russell, there are two main ingredients. First, you need to pull in evidence programmatically through API calls, and second, you need to apply a scoring system to make sense of all the evidence. This is where the OpenSSF Scorecard comes in. Co-presenter, Naveen Srinivasan, who helps maintain the OpenSSF Scorecard, walked through how to use the API to grade or evaluate internal projects.
But just exactly how vulnerable is open-source software to attack? Tal Folkman and Joseff Harush Kadouri of Checkmarx highlighted the abundant risks in the software supply chain and walked through a series of threats within the open-source ecosystem in their session, The Risks of Blind Trust in Code From Strangers. The talk highlighted several attacks, including those launched by a large attack group named Lofy Gang. The group was responsible for uploading malicious packages designed to steal credentials on open source platforms such as GitHub and NPM. They then uploaded videos on YouTube to show potential hackers how to install their malicious packages.
However, risk is not only lurking within open-source software. In Scaling Software Supply Chain Source Security in Large Enterprises, Rao Lakkakula, Senior Director of Security Engineering at JPMorgan Chase, discussed the complexities of the supply chain within the enterprise, noting, “Nobody does software in isolation.” Enterprises have other software supply chains to address including the internal supply chain, vendor supply chain and the SaaS supply chain. Then there is the issue of hardware. “There is no hardware without software,” stated Lakkakula.
So how do you operationalize this? Lakkakula offered several calls to action in his closing starting with mapping the different supply chains within the organization which includes building a central repository of both open and closed source software components and where they are deployed. Lakkakula is also a proponent of getting involved in public and private initiatives such as the CISA SBOM Working Groups.
While SBOMs can go a long way in providing visibility and transparency across the software supply chain and helping organizations identify vulnerabilities in software components early, they are not without challenges including the time it takes to maintain them. They are not static documents that can be filed away and forgotten. They must continually be updated with every new software component release. And with the speed of software development today, well, you get the point.