Software Supply Chain Security - Dan Lorenc, Open Source Software Supply Chain

Introduction

This week's episode of Floss Weekly (#712), hosted by Doc Searles and joined by Catherine Truckman, features a discussion with Dan Lorenc, the co-creator of Sigstore and President and CEO of Chainguard. The focus of the discussion is on software supply chain security, a critical aspect given the complexities of modern software development and distribution. The conversation covers various topics such as software signing, verifying, identity management, and the importance of provenance.

Overview

Dan Lorenc has a rich background in open source and software security from his nine-year tenure at Google, where he focused on infrastructure security, developer tooling, and supply chain security. He co-founded Chainguard to take these concepts further into the open source realm, aiming to make software supply chains as secure as possible.

Problem Space: Software Supply Chain Security

The security of the software supply chain has gained increased visibility due to high-profile attacks like SolarWinds and Log4Shell. These events have highlighted the need for standardized, secure software development practices.

One of the persistent problems in supply chain security is "typo squatting" attacks, where malicious actors upload packages with slightly altered names of popular libraries, tricking developers into downloading them.

The Role of Sigstore

Sigstore is a new standard for signing, verifying, and protecting software. It aims to be the "Let's Encrypt" for code signing by providing free and easy-to-use tools for open source maintainers. Sigstore's components include client tools for signing and verifying code, a certificate authority (Fulcio), and a transparency log (Rekor) to record all signing activities.

Government and Industry Involvement

With increased regulations such as the Biden Administration's Executive Order on cybersecurity and various legislative acts, the role of the government in pushing for secured software development practices is more prominent than ever. The government's substantial purchasing power can shift the market dynamics, encouraging vendors to adopt stricter security measures.

The Importance of Provenance

Provenance, in the context of software, refers to the ability to trace the origin and history of code. Sigstore provides tools that offer provable claims about code origins, ensuring that only legitimate code is incorporated into software projects. This ensures a chain of trust that can be verified by anyone.

Chainguard’s Offerings

Chainguard provides two main products: images and enforce, which help businesses secure their code and manage their build processes. These products leverage the foundations of Sigstore, offering transparency, security, and identity management for software supply chains.

Future Directions

Looking at the future, Dan hopes 2023 will be the year when Software Bill of Materials (SBOM) becomes mainstream, facilitating vulnerability management and compliance. Chainguard and Sigstore aim to play crucial roles in this ecosystem, providing the tools and infrastructure to make secure software development accessible and practical.

Conclusion

Software supply chain security is not just a buzzword but a necessity in today's complex digital ecosystem. Initiatives like Sigstore, driven by experts like Dan Lorenc and supported by organizations like Chainguard and the OpenSSF, are pioneering the way to a more secure and transparent software development future.

Keywords

Software Supply Chain Security
Sigstore
Chainguard
Open Source
Provenance
Identity Management
Government Regulations
SBOM (Software Bill of Materials)

FAQ

Q: What is Sigstore?
A: Sigstore is a standard for signing, verifying, and protecting software. It aims to make it easy and free for open source maintainers to sign their code.

Q: What problems does Sigstore address?
A: Sigstore addresses issues related to code authenticity, typo squatting attacks, and software supply chain integrity.

Q: How does Sigstore work?
A: Sigstore consists of client tools for signing and verifying, a certificate authority (Fulcio), and a transparency log (Rekor). These elements work together to securely sign and maintain a transparent record of software components.

Q: What are the main products of Chainguard?
A: Chainguard offers two main products: 'images,' which are secure container images, and 'enforce,' a compliance and security management tool for software builds.

Q: What role does the government play in software supply chain security?
A: With its substantial purchasing power and recent regulations, the government can influence vendors to adopt more secure software development practices.

Q: What is the significance of provenance in software supply chain security?
A: Provenance ensures the traceability and authenticity of software components, allowing developers to verify that code origins are legitimate and unaltered.

Q: How can developers start using Sigstore?
A: Developers can use Sigstore’s client tools for their specific ecosystems, like containers or language-specific packages. They authenticate using popular identity providers and can sign and verify their code easily.

Q: What’s next for software supply chain security?
A: The goal for 2023 is to make SBOMs (Software Bill of Materials) a standard practice, helping organizations manage vulnerabilities and ensure compliance more effectively.