The software supply chain is a central element for companies, but also particularly vulnerable to cyberattacks.
In the race for competition, the choice of companies is increasingly focused on specialized software solutions, gradually transforming IT ecosystems into real patchworks of systems from different suppliers. This diversity greatly complicates maintaining data security, multiplying the number of trust relationships needed and creating more potential entry points for attacks. The speed of propagation of attacks is further accelerated due to the deep integration of the systems, to optimize performance and productivity as much as possible.
We are seeing more and more examples of supply chain attacks that leverage third-party software to infiltrate a business. Malicious code, for example, was introduced in 2020 in a SolarWinds software update and penetrated the systems of various branches of the United States federal government, then spread globally, infecting some 18,000 companies. . More recently, in March 2021, a vulnerability in Microsoft Exchange Server software threatened the security of more than 20,000 American businesses. It is also via supply chain partners, generally considered harmless, that the risk spreads, as evidenced by the example of the attack carried out on the supply chain of CodeCov, a software for developers, which allowed hackers to take control of the company’s customer supply chains.
Despite the risks associated with the supply chain, it is inconceivable to give up the advantages of new technologies. Faced with this daily dilemma, software developers must choose between compliance with the highest security standards and more autonomy.
To reconcile these two opposing approaches, the code signing process, which makes it possible to prove that software has not been altered or corrupted before its deployment, must be redesigned.
Indeed, traditional code signing techniques use cryptographic keys to prove the identity of the author of the code or the integrity of the content of a software deliverable. It is up to the developers to generate these keys to maintain their security. Faced with this responsibility and this additional task, some decide not to sign their codes (which is bad for security) or to write less (which is bad for innovation). Whichever approach is chosen, it does not have a beneficial effect on the developer community. The question of the provenance of software, most of which is designed on open source principles and can be modified by any user, is increasingly crucial. Proprietary software, which uses more and more open source code, is not spared either.
In this context, the open source community has a big role to play in showing leadership and simplifying the code signing environment for developers; this happens, for example, by replacing permanent keys with ephemeral keys linked to existing identification elements (on the same model as e-mail address or social network identifiers), or by producing a public and immutable log listing all activities. These two tools relieve developers of the burden of code signing, and let them focus on their core business, while strengthening system security.
What does the software supply chain actually include? It is a variety of types of environments, from the developer to the end customer, and from source code to delivery, including construction, dependencies, assembly, packaging . Due to the unlimited multiplication of the number of connected objects, these chains therefore have a greater risk of suffering a cyberattack. More efforts are therefore needed to minimize damage to supply chain security.
To solve this problem, members of the Open Source community are working hard and implementing many projects to improve the security of the supply chain as a whole, among which sigstore, slsa.dev or even CycloneDX.