Scribe Security Ltd. said today that it has released a key component of the suite of tools it is building to ensure software supply chain security.

Scribe Integrity is a code integrity validator that authenticates open-source and proprietary source code created with the Node.js JavaScript runtime environment. It provides additional chain-of-custody visibility that developers can use to verify code is safe. Scribe also introduced an open-source GitHub security policy management project called GitGat.

The Tel Aviv-based startup is addressing the problem of malicious code planted in software, particularly that shared under an open-source license. Software supply chain security firm ArgonSec Ltd. has estimated that supply chain attacks more than tripled in 2021 with the hack of software from SolarWinds WorldWide LLC and the discovery of vulnerabilities in the popular Log4j open-source diagnostic utility making global headlines.

The problem has drawn growing attention as open-source software has become ubiquitous. Last year, the White House released an executive order that called for wider use of software bills of material. SBOMs provide a record of the components used in software development.

Open-source everywhere

A 2020 audit by Synopsys of more than 1,250 commercial codebases found that 99% included at least one open-source component. Open-source software is typically maintained in community libraries with little or no security oversight. Synopsys reported that 75% of the codebases it audited contained open-source components with known security vulnerabilities and nearly half had high-risk vulnerabilities.

Scribe Security says it uses a principle of “hash everything, sign everything” combined with intelligence it gathers on open-source dependencies. Hashing is a process that transforms a given key or a string of characters into another value.

“We deploy collectors or sensors throughout the entire lifecycle of code; it can be in repositories or through the development environment of a subcontractor or the software producer itself,” said Chief Executive Rubi Arbel (pictured, left). “These collectors can be agents, agentless, application program interfaces and at the kernel level. They collect attestations, which are hashed and signed evidence of anything that happens to the meta code.”

Trust no code

Scribe Software’s founders — Arbel, Research and Development Vice President Guy Chernobrov (center) and Chief Technology Officer Daniel Nebenzahl (right) — are all veterans of the Israeli military with extensive cybersecurity backgrounds. The approach they’ve mapped out borrows from the zero-trust principles that are being widely adopted in enterprise security.

“We assume a software artifact is guilty unless it can prove otherwise,” said Nebenzahl.  “We validate that it is innocent and was manufactured in the right conditions. We collect evidence of changes to security settings in a way that’s similar to any other manufacturing process in which products are built from materials.”

The technology, which is currently in the early access phase, is offered as software-as-a-service that connects to a customer’s code repositories. The code repository itself is not touched, Arbel said. Signed hashes with metadata and attestations are stored on Scribe Security’s cloud.

“We hash and sign the code in every stage along the way and also collect other evidence regarding the process or the configuration of the machine that produced that code,” he said. The service also looks for other suspicious signs such as evidence that code has been automatically scanned.

The current iteration of the product compares final code to input code wherever it resides and validates it against the popular npm open source package manager. repository. Future versions will support other languages and repositories, executives said.

The company is also building a service called Scribe Hub that will be a sharing platform for SBOMs. “They can be uploaded automatically from your pipelines and let you decide which policies you want to enforce,” Arbel said. “This is the top-down part of our solution.”

GitGat is a policy-as-code tool that uses the Open Policy Agent policy manager to enable users to periodically run reports to gain insight into the changing security landscape of the organization. Barely a month old, GitGat will evolve to cover more parts of the continuous integration/continuous development or CI/CD lifecycle over time, the company said.

Scribe Software isn’t the only startup tackling the supply chain problem. Chainguard Inc., a startup founded by a group of former Google LLC engineers, recently raised $50 million to fund its own solution.

Photo: Scribe Security