It was nearly two years ago that Allan Friedman, director of cybersecurity initiatives at the U.S. National Telecommunications and Information Administration, posed a key question. If consumers can read the ingredients on a box of Twinkies, then why can’t software makers, whose products run the most impactful systems on the planet, provide a bill of materials detailing the elements inside?

Friedman’s question has become particularly relevant over the past two years as high-profile hacks of the software supply chain and exploits of vulnerabilities in open-source tools have challenged the cybersecurity community.

How serious is the situation? Breaches in the supply chain of SolarWinds software and the Java logging library Log4j were significant enough. Yet perhaps more troubling is the rising tide of vulnerabilities.

At the end of December, Redscan Cyber Security Ltd. published an analysis of the National Vulnerability Database, or NVD, which is maintained by the National Institute of Standards and Technology. The report found that 2021 was a record-breaking year for exposures logged by security researchers. More than 50 common vulnerabilities and exposures, known as CVEs, are now being logged every day.

Numbers such as these should galvanize the enterprise community to patch, and patch some more. However, over two-thirds of global companies continue to run software with the WannaCry flaw, which was discovered five years ago.

All of this has brought further scrutiny to the software supply chain, where hackers have found a playground and open source plays a critical role.

“It is a hot topic, securing supply chains,” Luke Hinds, security engineering lead, Office of the CTO at Red Hat Inc., said during an interview with SiliconANGLE. “And we’re starting to see an increase in attacks as well. There’s a recent statistic that came out … a 620% increase since last year of supply chain attacks involving the open-source ecosystem. So, things are certainly ramping up.”

SBOMs and reproducible builds

While the numbers offer a sober assessment of an expanding threat landscape, the software community has not pulled the covers over its head and ignored the problem. A collection of private companies and open-source maintainers has been actively working on a number of solutions with the potential to make a difference for security within the complex software ecosystem.

One starting point has been to address the “Twinkies” conundrum and provide greater transparency in software composition and handling. This involves a concerted move toward the software bill of materials, or SBOM.

The need for SBOMs was recognized well before breaches in the software supply chain began to attract headlines. In 2017, the Open Web Application Security Project developed the CycloneDX standard as a framework for supporting a software bill of materials. A number of software composition analysis tools have also become more prominent over the past year, including FossID, which was acquired by Snyk Inc. in 2021, and BlackBerry Jarvis, which was introduced in January at the Consumer Electronics Show.

The Linux Foundation has been at the forefront of two key initiatives in providing a higher level of transparency in the composition of industry software. One is the Software Package Data Exchange, or SPDX, a file format that communicates software metadata information throughout the supply chain. In September, SPDX became the internationally recognized standard for SBOMs and is currently in use by Intel Corp., Microsoft Corp. and VMware Inc.

In addition to providing support for the software bill of materials, The Linux Foundation has been funding work for a project called Reproducible Builds. The concept behind this is to produce a verified process where organizations develop an application build from source code and confirm that the results came from the same code.

“There is a lot of software that needs to be reproducible, including operating system packages and library level packages,” explained David Wheeler, director of open-source supply chain security at The Linux Foundation, in a blog post. “This will not be easy.”

Signing and verification

The process for verifying software’s provenance is another piece of the supply chain puzzle. One solution is the Sigstore project, which automates digital signing and verification of software elements.

Sigstore was originally prototyped at Red Hat and is a cornerstone of the company’s supply chain trust and security strategy. The project was among the tools discussed during a meeting of tech industry leaders at the White House that was convened in January to discuss security of the software supply chain. Participants included executives from Apple, IBM Corp., Google LLC, Oracle Corp. and Red Hat.

The breach of SolarWinds served as a major wakeup call for the software community to bring a sharper focus on the need for transparency and integrity. For this reason, it is worth noting what Red Hat has done since. More than a year after news broke that Russian actors managed to infiltrate an update for a key SolarWinds security tool, the company has responded by embracing open source as a way to enhance transparency in the software supply chain. An example of this can be found in its recent use of Tekton chains.

Tekton is an open-source project that evolved from an internal Google initiative to use Knative for software deployment. It was spun out as an independent project and donated to the Continuous Delivery Foundation in 2019. Tekton chains are a security subsystem of the Kubernetes Tekton CI/CD pipeline. The technology captures metadata about PipelineRun and TaskRun executions, which can then be used for analysis. Red Hat’s OpenShift Pipelines offering is based on Tekton, and it is used to power solutions for a wide variety of customers, including blockchain services provider BSS Oman.

One additional development in the use of Tekton for supply chain security is worth watching. Five of the Google employees responsible for creating Tekton left to start their own company, Chainguard Inc., which is focused on software supply chain security and recently raised $5 million in seed funding.

Workload attestation

Open-source technologies are contributing to software supply chain security initiatives through another path, and this involves workload identity. Two open-source incubation projects within the Cloud Native Computing Foundation are targeting secure identification of software systems in dynamic workload environments.

Secure Protection Identity Framework for Everyone, or SPIFFE, is designed to securely authenticate microservices communication with common databases or platforms. Its companion is the SPIFFE Runtime Environment, or SPIRE, which manages platform or workload attestation. The two CNCF projects are already in use within enterprises such as Bloomberg Inc., Uber Inc., Google, Hewlett Packard Enterprise Co., Intel and IBM.

The depth of technology solutions involved in securing the software supply chain highlights a key development in the saga of cybersecurity itself. Societal dependence on the cloud and its intricate web of dependencies has raised the stakes when it comes to protection. When the software supply chain becomes vulnerable to attack, people sit up and take notice, and this is driving the tech community’s concerted response to find a viable solution.

“The supply chain, this is critical infrastructure,” said Red Hat’s Hinds. “We rely on these systems when we wake up each morning, our emergency services, our police forces rely on these supply chains. There’s a bigger vision here, because a supply chain attack can go very much to the heart of our society.”

Image: fran_kie