Traditional open source security stacks focus on traditional security challenges, and may be lacking when it comes to addressing emerging threats such as those posed by the software supply chain.
The software supply chain extends from the code an organization imports (especially open source software and dependencies) to the software artifacts they build to the built artifacts and applications they deploy.
The good news is there is an ever-growing list of open source tools emerging to address security weaknesses in the software supply chain. The bad news is the rate at which software supply chain attacks are growing, proving that too many organizations have yet to implement sufficient tools and processes to mitigate the growing threat.
Additionally, attacks against software supply chains are becoming more sophisticated, and have been declared a matter of national security. As a result, governments around the world are crafting legislation that will hold organizations accountable for the security of the applications they build and deploy. In other words, the pressure on organizations to secure their software supply chains is growing from all directions.
Addressing vulnerabilities tends to be top of mind, but that leaves less time and resources to focus on the vast majority of threats that lie below the surface, where they often go unseen. Broadly, these include:
- Newly created open source packages containing malicious code uploaded to public repositories, polluting the ecosystem.
- Compromised packages named similarly to popular packages, which can cause developers to accidentally compromise their applications.
- Tampering with build systems in order to infect built artifacts with backdoors, trojans, etc that afford hackers a potential entry point once deployed.
Both these emerging threat vectors, as well as the reticence of organizations to patch or upgrade vulnerable dependencies for fear of breaking the build not only expose organizations to potential attack, but also create a growing technical debt that further burdens the organization, stacking the odds in favor of hackers.
Your open source security stack needs to be designed to stack the odds back in your favor by:
- Checking the integrity of every component across the software development process.
- Utilizing signed software attestations for all artifacts to ensure source security and guard against tampering.
- Enforcing best practices that support not only traditional Secure Software Development Frameworks (SSDF) but also emerging supply chain security frameworks like Supply chain Levels for Software Artifacts (SLSA).
- Tracking and updating issues in built artifacts and released applications as they arise using standard methodologies (eg., SBOMs) and processes (eg., vulnerability remediation).
While there are numerous commercial solutions that can help address software supply chain security, this blog is focused on the open source tools that can provide similar solutions without locking you into a proprietary platform.
Open Source Software Supply Chain Security Tools
The list of open source software supply chain tools is far too extensive to cover in this article. Instead, we’ll focus on two key areas that can help you get started on the path to securing your software chain, namely:
- Observability – you can’t secure what you don’t know. The tools here gather metadata about your dependencies to ensure their security and integrity, or else point out shortcomings that need to be addressed.
- Reproducibility – given the same inputs to a build process, you should always expect the same outputs. Without this kind of reproducibility, no software artifact can be deemed secure from one build to the next.
Open Source Observability Tools
Observability refers to tools that provide visibility into the open source components that typically comprise more than 80% of modern applications. Visibility provides insight into how the components are licensed, which are well-sourced, and which contain known vulnerabilities.
- SBOM Tools – a Software Bill Of Materials (SBOM) generates a list of all the ingredients in a piece of software. There are numerous open source tools and free services that can provide SBOMs for each open source language ecosystem, as well as numerous multi-language tools that can generate SBOMs in multiple formats. Some examples include:
- Microsoft’s SBOM tool that can create SPDX 2.2-compatible SBOMs for a variety of artifacts.
- Anchore SBOM GItHub Action that can be included in your GitHub Action to execute a Syft scan in any designated workspace directory, and then upload a workflow artifact SBOM in SPDX format.
- Mend (formerly WhiteSource) SBOM Generator generates SBOM reports in either SPDX or CycloneDX formats. It can be executed either via CLI or as a Docker container.
- SCA Tools – Software Composition Analysis (SCA) tools provide a list of components in your project along with key metadata such as open source package licensing and known vulnerabilities for each. Examples include:
- LunaTrace is a security audit tool that tracks your projects’ dependencies in order to discover vulnerabilities and other issues. It automatically integrates with GitHub Pull Requests to notify you of new CVEs before you deploy to production.
- OWASP dep-scan is a security audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. It will also output SBOMs and Vulnerability Exploitability Exchange (VEX) information, as well.
- Snyk Open Source can be integrated with your GitHub or BitBucket repos (or can be used as a CLI tool) to find and automatically fix vulnerabilities in your open source dependencies. Note that the free version is limited to 200 tests per month.
- Attestation Tools – a software attestation provides evidence about how an open source component was built and sourced, allowing users to better understand the risk of incorporating it into their codebase. Examples include:
- TestifySec Witness which provides a framework for automating, normalizing, and verifying software attestations.
- GitHub Actions Attestations is a workflow you can add to your GitHub Actions build process in order to generate provenance attestations.
- GitLab Runner Attestations will generate attestation metadata for all build artifacts in the in-toto format.
Once you have the information generated by these tools, you may want to make sense of it all with a tool like:
- GUAC or Graph for Understanding Artifact Composition aggregates software security metadata (such as attestations, SBOMs, VEX, Open Source Vulnerability (OSV) data) into a graph database that you can query to understand your full dependency tree and the security stance of each component.
Open Source Reproducibility Tools
Reproducibility refers to the ability to create secure, reproducible builds of software artifacts in a scalable manner. This typically means vendoring all your open source dependencies (including transitive dependencies), ensuring the security and integrity of their source code, and then building all your dependencies from the vetted source using a hardened build service.
- Code Repositories are used for source code management, making them the best way to store vendored dependency source code. Note that this means you are now responsible for patching and maintaining all of that third-party code. Examples include:
- Git is a distributed version control system designed to handle everything from small to very large projects with speed and efficiency. It underlies two of the most popular online code repositories, GitHub and GitLab.
- Subversion is a centralized version control system characterized by the simplicity of its model and ability to scale from individual to enterprise projects.
- CVS is a tried and true version control system that has a long history of helping distributed teams manage their code.
- Static Application Security Testing (SAST) tools can scan source code for defects to ensure source code integrity and security. While there are multiple tools for each language, there are also numerous multilingual SAST tools, as well. Examples include:
- CodeQL is the engine behind many of GitHub’s security offerings, and offers extensive support for multiple languages, as well as a VSCode plugin.
- MegaLinter embeds 70+ linters in order to analyze code, IAC, configuration, and scripts in repository sources. It supports 55 languages and can be used as a GitHub action or with any CI system.
- Semgrep is a fast static analysis engine for finding bugs, detecting vulnerabilities in third-party dependencies, and enforcing code standards. It supports a wide range of languages.
- Software Build Systems typically take the form of a Continuous Integration (CI) system that can automate the build, test and delivery of software artifacts. To ensure security and integrity, the system must support a declarative pipeline (ie., a pipeline that supports breaking down each stage into multiple discrete steps). Example include:
- Jenkins is perhaps the most popular automation server, and offers hundreds of plugins (including a declarative pipeline plugin) to support building, deploying and automating any project.
- Spinnaker (originally from Netflix) is a multi-cloud continuous delivery platform that provides a flexible pipeline management system with integrations to most major cloud providers.
- Drone offers an Apache 2.0 licensed open source CI platform in which each pipeline step is executed inside an isolated Docker container to ensure security.
- Signing Tools provide the ability to ensure that a software artifact hasn’t been tampered with between the time it was built and used. Examples include:
- Sigstore offers software signing using Cosign to generate the key pairs needed to sign and verify artifacts, along with a transparent ledger so anyone can find and verify signatures.
- Notary provides an implementation of The Update Framework specification (TUF) most commonly used to verify Docker container contents.
Once you have all these tools in place, you may want to enforce usage with a tool like:
- Open Policy Agent (OPA) which is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
Conclusions – Open Source Best-in-Class Security Tools
The open source tools listed here just scratch the surface of what it means to implement a secure software supply chain. There are additional stages in the software development process (vulnerability remediation, software/update deployment, etc) that you’ll want to consider in addition to the traditional tools and best practices you already use. For more information, refer to our Journey to Software Supply Chain Security eBook.
But implementing and integrating multiple open source tools into a comprehensive software supply chain security solution can be very time and resource consuming, especially as versions change and integrations break. For those organizations with limited resources, adopting a platform based on open source principals may be the best way forward.
ActiveState provides a comprehensive platform that automates:
- Dependency vendoring.
- Securely building Python, Perl, Ruby and Tcl dependencies from source code using a cloud-based, hardened build service.
- Generating SBOMs, as well as Provenance and Verification Summary Attestations (VSA).
- Vulnerability scanning, notification and rapid remediation.
In this way, many of the observability and reproducibility benefits can be derived from a single platform that can be integrated with your existing software development process in a matter of days.