A new tool wants to save open source from supply chain attacks

Russia is historically destroyed NotPetya Malware Attack and more modern SolarWinds Cyber ​​Espionage Campaign You have one thing in common besides the Kremlin: both are real examples of programs Supply Chain Attacks. It’s a term referring to what happens when a hacker slips malicious code into legitimate programs that can spread widely. And with more supply chain attacks emerging, a new open source project is seeking to take a stand, making critical protection free and easy to implement.

founders sigstore Hopefully, their platform will incentivize the adoption of code signing, which is an important protection for software supply chains but is often overlooked by popular and widely used open source software. Open source developers don’t always have the resources, time, experience, or means to fully implement code signing on top of all the other non-negotiable components they need to build their code to work.

“Up until about a year and a half ago, I felt like the crazy person standing in the corner with a sign that said, ‘The end is coming.’ No one understood the problem,” says Dan Lorink, researcher and engineer at Google’s open source software supply chain. But things have changed dramatically in the past year. Now everyone is talking about supply chain security, we have executive order About it, and everyone is starting to realize how important open source is and how we really need to put some resources behind fixing its security for everyone.”

Lorenc is not the only researcher who has focused on Insurance Challenges Open source or supply chain projects. But the mainstream interest generated by recent high-profile hacks had gained a whole new level of enthusiasm for the work that Lawrence and his collaborators had already begun.

To understand the importance of Sigstore, you need to have an idea of ​​what code signing does. Think of it like battle orders delivered in ancient times. Generals would recognize the royal clerk’s handwriting, the commander-in-chief’s signature, and the detailed wax seal on the envelope, while a web of carefully vetted pages handed out letters in a series of controlled reservations. This system worked because it was extremely difficult—though not completely impossible—for an outside entity to infiltrate the process, duplicate critical elements, and circumvent all integrity checks.

The same is true for cryptographic code signing. You cannot create and distribute a Windows Update to your closest friends or enemies. Only Microsoft can do this unless something goes wrong. One of the reasons it is so difficult for anyone other than Microsoft to send updates to your Windows laptop is that the software needs to be “signed” by the right creator at the right time. It’s John Hancock’s seal and wax of the digital age.

You can see why the stakes are high, though, for old battles and modern software alike. If someone can Sending rogue commands or updates, they could stage a coup – or put billions of computers at risk. The benefits of code signing are obvious, but getting hobbyists, volunteers, and other open source contributors to integrate it requires a low barrier to entry.

“These are huge issues that put the infrastructure of the entire world at risk,” says Bob Callaway, chief architect at open source software company Red Hat. “It’s certainly not a panacea that will fix everything, but it will make a huge impact in getting people to use best practices and encryption techniques that have been around for a long time and make versions more secure.”

Sigstore, which is Affiliate The Linux Foundation, currently led by Google, Red Hat, and Purdue University combine two components. First, it orchestrates complex encryption for its users; It even offers the option to take literally everything for developers who can’t or don’t want to do the extra work themselves. By using pre-existing identifiers such as an email address or a third-party login system such as Sign In With Google or Sign In With Facebook, you can quickly begin to sign the encrypted code you produce as having been generated by you at a given time. Second, Sigstore automatically produces a public and immutable open source log of all activities. This provides overall accountability for each request, and a place to start an investigation if something goes wrong.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button