Talk - Dustin Ingram: Securing the Open Source Software Supply Chain

Talk - Dustin Ingram: Securing the Open Source Software Supply Chain

Introduction

Dustin Ingram, a software engineer from Google's Open Source Security Team, gave an insightful talk about securing the open source software supply chain. He addressed common concerns, defined crucial terms, described key technologies, and shared potential future trends in open source security.

Is It Safe to Use Open Source Software?

Dustin affirmed the general safety of using open source software, despite existing vulnerabilities. The key takeaway is that safety largely depends on how the software is used and the specific threat model implemented.

How Can We Use Open Source Software Safely?

Understanding the Software Supply Chain

The software supply chain includes everything needed to produce and use the software, including all dependencies and infrastructure components.

Secure Software Supply Chain

A secure software supply chain ensures that all components are not compromised.

Why the Current Focus on Software Supply Chain Security?

Recent Compromises

Numerous high-profile compromises have heightened the focus on securing the software supply chain, including malicious libraries, vulnerability exploits like those in Java logging libraries, a rise in supply chain attacks, SolarWinds, and protestware.

Executive Order 14028

The US government's Executive Order 14028 on improving the nation's cybersecurity has accelerated efforts to enhance software supply chain security.

Current Tools and Future Directions

Community Advisory Databases

Community advisory databases provide a centralized repository for security advisories. The Python community now has its advisory database.

Vulnerability Auditing Software

Pip-audit, an open-source vulnerability auditing tool for Python packages, is now available, helping to identify and remediate known vulnerabilities.

Artifact Signing with SixStore

SixStore offers a new approach to artifact signing, addressing challenges associated with GPG by using ephemeral keys, OIDC identities, and transparency logs.

Salsa and In-Toto

Salsa (Supply Chain Levels for Software Artifacts) and In-Toto are new standards to describe and ensure the integrity and security of software artifacts.

Policy and Enforcements

Tools like GitHub's Allstar enable repositories to enforce security policies and maintain best practices.

Upcoming Enhancements in PyPI

1. Two-factor authentication (2FA) requirements for critical projects.
2. Free hardware key giveaway for critical project maintainers.
3. Credentials publication via OIDC.
4. Implementation of PEP 458 (signed metadata via TUF) and updates to PEP 480 (end-to-end developer-signed artifacts).

Call to Action

Dustin called for vendor-neutral collaboration, increased funding, user contributions, and more robust educational efforts to drive forward the movement for a secure software supply chain.

Predictions

1. Increased funding and interest in secure supply chain practices.
2. More frequent requests for open source maintainers to adopt enhanced security measures.
3. Increased awareness and education about open source security for consumers.

Conclusion

Dustin concluded with acknowledgments and encouraged ongoing support and engagement in implementing these emerging security measures to protect the integrity of the open source software supply chain.

Keywords

• Open Source Security
• Software Supply Chain
• Advisory Database
• Vulnerability Auditing
• SixStore
• Salsa
• In-Toto
• Policy Enforcement
• PyPI
• Two-Factor Authentication
• OIDC
• Transparency Log
• Cryptographic Signing

FAQ

1. Is it safe to use open source software? Yes, but the extent of its safety depends on how it's used and the specific threat model in place.

2. What is a software supply chain? The software supply chain encompasses everything needed to produce and use software, including all dependencies and infrastructure components.

3. Why is software supply chain security a big deal right now? Recent high-profile compromises and the US government's Executive Order 14028 has accelerated focus on securing the software supply chain.

4. What is Pip-audit? Pip-audit is an open-source vulnerability auditing tool for Python packages, designed to identify and remediate known vulnerabilities.

5. How does SixStore improve the artifact signing process? SixStore uses ephemeral keys, OIDC identities, and transparency logs, addressing the limitations associated with traditional GPG signing.

6. What are Salsa and In-Toto? Salsa is a security framework describing the security levels of software supply chains, while In-Toto is a standard ensuring the integrity and transparency of artifacts.

7. What new security features are coming to PyPI? Upcoming enhancements include 2FA requirements for critical projects, a hardware key giveaway, OIDC credential publication, and the implementation of PEP 458 and updates to PEP 480.

8. How can the community contribute to securing the open source software supply chain? By participating in vendor-neutral collaborations, financially supporting security projects, using new tools, and contributing feedback and improvements.