Why Google-backed open source program is so important – CloudSavvy IT.

Camera / shutter stock

Supply chain attacks are skyrocketing, and open source projects are the most common source of infiltration. The Linux Foundation, which is run by Google, helps open source projects keep themselves and everyone safe.

Supply chain attacks.

Until recently, if you were involved in cybersecurity and found yourself trying to explain someone’s supply chain attacks, you probably used the Stuxnet attack as an example. Now, you have a number of examples to choose from.

Everyone has heard of Solar Winds and Kodakov’s attacks because they were headline-grabbing, sophisticated attacks that had wide reach. But these two examples are a drop in the ocean of such attacks.

Supply chain attacks poison the buffet. Anyone who eats from a buffet eats poison. The buffet host is not the target. Goals are for everyone who is invited. If attackers can compromise a software toolkit or library that is used in many other applications and systems, they have succeeded in compromising all users of these other products.

Both open source and close source products are at risk. There have even been cases where laptops were made with hard drive images that were cloned with compromised golden images, baking the malware into the hardware.

But since open source projects give everyone access to source code and the ability to submit contributions to the project, they are an ideal attack vector for cybercriminals. And targeting open source becomes more attractive than ever because the use of open source components continues to snowball. Almost all extraordinary development projects use open source assets. The digital infrastructure of the modern world relies on open source.

According to a gold type report, the use of open source is still increasing. This is great for open source. Using open source as its attack vector is not a great way to increase the supply chain attacks. Annual supply chain attacks have increased by 650%, including dependency confusion, typosquoting, and code injection.

We’ve outlined earlier steps you can take at home to try to limit your exposure to supply chain attacks, such as using utilities. preflight. We’ve also reported on programs that are being implemented at the industry level, such as the Linux Foundation’s Seag Store initiative, which was jointly developed by Google, Red Hat, and Purdue University, IN. Is going

The Secure Open Source program is a new initiative run by the Linux Foundation with a 1 1 million sponsorship from the Google Open Source Security Team.

Secure open source rewards.

The pilot program focuses on enhancing the security of key open source projects. Definition of Criticism Praise be to the US government for drafting Executive Order 14028. Their definition makes the software important if one or more of the components of the software have one of the following attributes:

  • It is designed to run with high privileges or to manage privileges.
  • It has direct or privileged access to networking or computing resources.
  • It is designed to control access to data or operational technology.
  • It performs a function that must be trusted.
  • It operates beyond the confines of common trust with privileged access.

Another important factor is the potential impact of this problem on software users. Who will be affected, in what number and how? If the software in question is included in other open source projects, the effect will be greater than if it is a standalone application. And the more popular a given component is, the more attractive the supply chain is to attack.

That is why these criteria will also be considered:

  • How many and what types of users will be affected by improved security?
  • Will the improvements have a significant impact on infrastructure and user safety?
  • How serious or far-reaching would the implications be if the plan were compromised?
  • Is Project Harvard 2 one of the most used packages in the Census Study, or does it have an Open SSF Critical Score of 0.6 or higher?

In broad strokes, a software project can apply for funding to address a security issue. The application is reviewed and topics such as how critical the project is, what improvements are being made, and who will work are considered. The review board members will be from the Linux Foundation and the Google Open Source Security Team.

To see it properly, a suggestion should include improvements from this list:

  • Tightening the supply chain, including CI / CD pipelines and distribution infrastructure in accordance with the Supply Chain Level for Software Artifact (SLSA) framework.
  • Adopting software art fact signing and verification techniques, e.g. sigstore Tools.
  • Improvements in the project resulting in higher SSF scorecard results. The scorecard identifies dependencies with open source projects and lists them.
  • Using Open SSF Star to tighten Gut Hub stores.
  • Achieve CII Best Practice Badge by adopting industry best practices.

Rewards are closed and distributed according to the complexities and merits of improved security and the potential impact of a successful attack on the wider community.

  • 10,000 or more.: Complex, high-impact and long-term improvements that almost certainly prevent major vulnerabilities in infected code or supporting infrastructure
  • 5,000- $ 10,000.: Moderate complex improvements that offer tremendous security benefits.
  • -1,000- 5,000.: Minor complication and accumulation of effects
  • 505.: Small improvements that still have merit from a security standpoint.

Reporting procedures must be agreed upon and followed. They will monitor the progress of the reforms, and verify that they are actually happening. It’s not just free money.

Why this is important

“We expect the attackers to continue to target upstream software supply chain assets,” the gold-type report said. On the scale. ”

Due to the widespread use of open source in the development of open and proprietary products, this scale is huge. Open source has taken the technological fabric of our modern world to an astonishing extent. In fact, that technical fabric is now entirely dependent on open source.

Such steps. sigstore And Allstar Designed to support the entire open source movement. Like other tools. preflight Posted at the user level. This new initiative complements both approaches and strikes at the root of the problem.

If you improve the code and development infrastructure and address the vulnerabilities, there will be less potential. This will reduce the number of compromises.

Secure Open Source Awards is not a big prize. It’s about providing resources to deal with problems. Troubleshooting code, tightening CI / CD pipelines and source code repositories, and the use of software artifact signing and verification schemes will change the open source position.

Write a Comment

Your email address will not be published. Required fields are marked *