The common denominator in each case is the fragility of the open source supply chain. Specifically, in the case of the cyberattacks, bad actors compromising the upstream development environment of software vendors, who then propagate compromised software downstream to their tens of thousands of customers: local attacks with global impacts.
- Provenance – the ability to identify the origin of the source code used to build your software.
- Verifiably Reproducible Builds – builds that not only produce the same bits every time given the same source code, but can also be verified as containing only code that came from the original source code.
- Signing (coming soon) – an encryption technique used to validate the authenticity and integrity of a software artifact.
The ActiveState Platform can dramatically improve the security and integrity of the open source code you import into your organization, how that code gets built into software artifacts, and then subsequently consumed.
Open Source Code Provenance
In software terms, provenance refers to the ability to identify the origin of open source code, whether that code originated from npm, PyPI, GitHub or a similar public repository.
Given the millions of open source software packages created by hundreds of thousands of authors, establishing provenance can be a challenge, especially in the face of threats like:
- Typosquatting – the practice of submitting malicious packages with similar names to highly popular ones (ie., Jango instead of Django). These similarly-named packages can be downloaded thousands of times before they’re found and deleted from the repository.
- Ownership – when authors and/or maintainers of an open source package move on, anyone can raise their hand and step into a role that gives them control of what gets released.
The ActiveState Platform can help you establish provenance for third party Python, Perl and Tcl packages through its native catalog, which provides a central repository that contains all of the most popular top level packages your projects require, along with their dependencies.
Additionally, the ActiveState Platform catalog provides a set of indemnified packages, which are versions of popular packages that ActiveState has identified as being well maintained and featuring licenses appropriate for creating commercial offerings.
Using only indemnified packages can help eliminate the use of typosquatted and/or poorly maintained packages in your organization.
Verifiably Reproducible Open Source Builds
Being able to verify that a build is reproducible provides organizations with the assurance that not only does the same source code “in” always result in the same software artifact “out,” but also that the artifact can be verified as containing only the original source code. This helps ensure that no malicious code has been introduced during the build process.
But depending on how you’ve set up your build environment, there may be a number of factors preventing you from creating verifiable builds, including:
- Malicious install scripts that pull in packages you don’t expect
- Unconstrained packages that do more than you expect
- Dynamic packages that include remote resources
Compounding these three factors is the issue of dependency confusion, which happens when namespacing is lacking. In these cases, your build process may end up pulling a similarly named package from a public software repository rather than your private, internal repository, potentially exposing you to compromised code.
In order to avoid these scenarios, the ActiveState Platform provides you with two key capabilities:
- Ephemeral, isolated and hermetic build environments that perform scripted builds, eliminating user input error, dependency confusion and the accidental inclusion of remote resources.
- Prebuilt, verifiably reproducible Python, Perl and Tcl runtime environments that can be pulled into your CI/CD pipeline, improving the security and integrity of CI/CD results.
Open Source Signing
Most developers tend to prefer working with precompiled binaries rather than building the open source packages they need from source code. This shortcut improves productivity, but since most public open source repositories don’t sign their packages, it introduces the potential of including compromised code into your application.
The technique of digital signing is a best practice that lets downstream consumers have confidence that the signed software originated with a trusted vendor, and that it hasn’t been tampered with. Of course, as the SolarWinds hack showed, signing is no guarantee if the compromise happens prior to the signing step.
While the ActiveState Platform doesn’t yet sign the packages it automatically builds from source code (coming soon!), it does verify all checksums internally so you can be confident your developers:
- Are always working with verified packages that have been built by ActiveState from source code, rather than installing pre-built, public binaries.
- Are working with a Python, Perl or Tcl-based development environment whose vulnerability status is always known, and who are empowered to simply point-and-click to automatically rebuild a secure version of their environment.
Conclusions: Implementing Open Source Supply Chain Security
As President Biden’s Executive Order makes clear, implementing open source security is a huge undertaking across multiple facets of software development, delivery and use. But of particular concern is the fact that supply chain threats are only growing, with a 430% increase in upstream open source attacks over the past year (see Sonatype’s State of the Software Supply Chain report for more information).
Instead of targeting each individual enterprise, hackers are moving up the chain and targeting the software vendors those enterprises use. Once a development environment has been compromised, patches and updates sent to the software vendor’s customer base become vectors for enterprise infiltration. As a result, software vendors are now effectively the frontline for enterprise security in 2021.
The ActiveState Platform can provide software vendors with three practical techniques they can implement today to greatly increase the security and integrity of their open source supply chain. By implementing all three, you have a way to ensure the security and integrity of the open source packages you import, build and use in your applications.
Ready to see for yourself? You can try the ActiveState Platform by signing up for a free account. Or contact Sales for a free demo and let us show you how you can secure your open source supply chain today.
Need more information about open source supply chain security? Read these: