"Software Supply Chain Chalks Up a Security Win With New Crypto Effort"

Organizations that host significant parts of the open-source software supply chain continue to implement security measures that provide developers and maintainers with more tools to protect their projects from attacks and malicious code commits. GitHub has announced that the company, which owns and maintains the Node Package Manager (npm) service, had requested feedback from developers on a plan to adopt sigstore, which simplifies the signing of code components produced by projects and links them back to the source code. Since individual maintainers no longer have to manage their own cryptographic infrastructure, the sigstore project has made digitally signing source code easier. According to Brian Behlendorf, general manager of the Open Source Security Foundation (OpenSSF), which maintains sigstore with the Linux Foundation, the technology service allows software developers to confirm what code was used to generate a specific software application or component. The proposal is the latest attempt to provide tools to developers in order to secure the software supply chain. GitHub's npm, the Python Package Index (PyPI), and others have already urged developers to use two-factor authentication (2FA) to protect their accounts from a simple credential-based attack. GitHub, for example, has already made 2FA mandatory for the top 500 most popular npm projects and plans to make it mandatory for any project with more than a million downloads per week. Another critical step is to implement the digital signing of software packages. Sonatype, a software security firm, announced in March that it planned to integrate sigstore into its Maven Central platform. Sonatype maintains Maven, the most popular source of Java software components. PyPI has a specification called The Update Framework (TUF) that requires the digital signing of software packages, and the repository is working on a sigstore module. The ability to verify that a program or executable originated from a specific source code repository is an important step in securing the software supply chain. When package maintainers choose to participate in this system, consumers of their packages can be more confident that the contents of the package match the contents of the linked repository. Historically, it was difficult to link packages back to the source code because each project had to register and manage their own cryptographic keys. This article continues to discuss new efforts to bolter software supply chain security.

Dark Reading reports "Software Supply Chain Chalks Up a Security Win With New Crypto Effort"