They also point to how sigstore might be deployed as an integrated feature within broader technology. These are not only important predictors of success. The scope has expanded too, with sub-projects now gaining a life of their own, such as Cosign (for container and general software artefact signing), Rekor (a transparency log) and Fulcio (a certificate authority) and collaborations have begun with other open source initiatives, notably Tekton Chains (an offshoot of the Tekton CI/CD project). Since sigstore launched in 2019, its founding members - Red Hat, Google and Purdue University - have been joined by other organisations, and the project has moved under the auspices of The Linux Foundation. What’s more, a system that doesn’t rely on keys that can be stolen or lost is inherently safer. Both essentially take the burden for software signing away from developers, freeing them up to do what they’re best at. It also produces a public and immutable log of all activity. The project - named sigstore - replaces the long-lived keys with ephemeral keys linked to existing identifiers (think email addresses and social media logins). That said, it is the open source community that is taking the lead in devising a more developer-friendly software signing environment. And this applies just as much to proprietary software, which increasingly leverages open source code. When much of the world’s software today is built with open source principles, where anyone can take the code and adapt it, the question of provenance becomes paramount. Both have knock-on effects for other developers. Some may view the burden as too much, and stop signing the code they write (bad for security) or write less code (bad for innovation). That places a burden on the developer to generate keys and then keep them safe. Traditional code signing techniques use cryptographic keys to verify the author and the integrity of the content of a software repository, for instance. One way to reconcile these seemingly opposed drives is to rethink software signing, the process of providing undeniable proof that software has not been altered or corrupted prior to deployment. In day-to-day terms, this perception can force software developers to make a choice - make the effort to comply with the highest security standards, or free yourself of the inconveniences and friction and focus on creativity instead. This is the dichotomy that many organisations present themselves with. Whereas the risks from software supply chain attacks are unignorable, so are the promises of technological prowess. Supply chain security has become such hot news that it is the subject of a new Executive Order straight from the White House. One of the largest ever data breaches in history, the 2013 attack on US retailer Target, was achieved by hacking into their partner’s air conditioning software. It isn’t uncommon for relatively innocuous supply chain partners to pose the most risk. As CISA has noted, “a much smaller number have been compromised by follow-on activity on their systems”. SolarWinds also announced“the actual number of customers who were hacked through SUNBURST to be fewer than 100”. In March this year, more than 20,000 US organisations were compromised through a vulnerability in Microsoft’s Exchange Server. In 2020, malicious code injected into a SolarWinds software update spread first through US federal government departments, before going global to infect around 18,000 organisations. While 18,000 customers downloaded the impacted version of SolarWinds’ software, a far smaller number were actually targeted by the attackers. Supply chain attacks, which use third-party software to infiltrate an organisation, have become prevalent. And with businesses employing deeper integrations between systems to optimise performance and productivity, an attack can quickly spread. More solutions increases the number of trust relationships and gives intruders more potential entry points to strike from. As a result, their IT landscapes have become a patchwork of different vendor systems. In the race for competitive gains, businesses are increasingly turning to specialist software solutions. By: Axel Simon, Open Source Security, Office of the CTO, Red Hat
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |