Supply chain attacks are skyrocketing, and open-source projects are the most common point of infiltration. The Linux Foundation, sponsored by Google, helps open-source projects protect themselves—and everyone else.

Supply Chain Attacks

Until very recently, if you were involved in cybersecurity and found yourself trying to explain supply chain attacks to someone you probably used the Stuxnet attack as an example. Now, you have any number of examples to choose from.

Everyone has heard of the Solarwinds and Codecov attacks because they were headline-grabbing, sophisticated attacks with a wide reach. But these two examples are a drop in the ocean of attacks of this type.

Supply chain attacks poison the buffet. Anyone who eats from the buffet consumes the poison. The host of the buffet isn’t the target. The targets are everyone who is invited to the feast. If the attackers can compromise a software toolkit or library that is used in many other applications and systems, they have managed to compromise all the users of those other products.

Open-source and closed-source products are both at risk. There have even been cases where laptops were produced with hard drive images cloned from a compromised golden image, baking malware right into the hardware.

But because open-source projects give everyone access to the source code and the ability to submit contributions to the project, they are an ideal attack vector for cybercriminals.  And targeting open-source becomes ever more attractive as the use of open-source components continues to snowball. Almost all non-trivial development projects use open-source assets. The digital infrastructure of the modern world relies on open-source.

According to a report by Sonatype the use of open-source is still accelerating. That’s great for open-source. What isn’t so great is the concomitant increase in supply chain attacks using open-source as its attack vector. There has been a 650% increase in supply chain attacks year on year, including dependency confusiontyposquatting, and code injection.

We’ve previously described steps you can take in-house to try to limit your exposure to supply chain attacks, using utilities such as preflight. We’ve also reported on programs that are being implemented at an industry level, such as the Linux Foundation’s sigstore initiative which is being jointly developed by Google, Red Hat, and Purdue University, IN.

The Secure Open Source program is a new initiative run by the Linux Foundation with a $1 million sponsorship from the Google Open Source Security Team.

Secure Open Source Rewards

The pilot program is focused on enhancing the security of critical open-source projects. The definition of critical is the U.S. government’s definition, which was drafted to supplement Executive Order 14028. Their definition ranks software as critical if one or more of its software components has any one of the following attributes:

  • It is designed to run with elevated privilege or manage privileges
  • It has direct or privileged access to networking or computing resources
  • It is designed to control access to data or operational technology
  • It performs a function critical to trust
  • It operates outside of normal trust boundaries with privileged access

Another important factor is the potential impact of the issue on consumers of the software. Who will be affected, in what numbers, and how? If the software in question is incorporated into other open-source projects its impact will be higher than if it is a standalone application. And the more popular a given component is, the more attractive it is for a supply chain attack.

That’s why these criteria will also be considered:

  • How many and what types of users will be affected by the security improvements?
  • Will the improvements have a significant impact on infrastructure and user security?
  • If the project were compromised, how serious or wide-reaching would the implications be?
  • Is the project included in the Harvard 2 Census Study of most-used packages, or does it have an OpenSSF Critically Score of 0.6 or more?

In broad strokes, a software project can apply for funds to allow them to rectify a security issue. The application is reviewed and topics such as how critical the project is, what the remediation or improvements are, and who will do the work are considered. The evaluating board members will be Linux Foundation and Google Open Source Security Team personnel.

To be viewed favorably, a proposal should include improvements from this list:

  • Supply chain hardening, including CI/CD pipelines and distribution infrastructure in line with the Supply-chain Levels for Software Artifacts (SLSA) framework.
  • Adopting software artifact signing and verification techniques, such as the sigstore tools.
  • Project improvements that result in a higher OpenSSF Scorecard result. Scorecard detects and lists the dependencies with open-source projects.
  • Using OpenSSF Allstar to harden GitHub repositories.
  • Earning a CII Best Practice Badge by adopting industry best working practices.

The rewards are banded and dispensed according to the complexity and merits of the security improvements and the potential impact of a successful attack on the wider community.

  • $10,000 or more: Complicated, high-impact, and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure
  • $5,000-$10,000: Moderately complex improvements that offer compelling security benefits
  • $1,000-$5,000: Submissions of modest complexity and impact
  • $505: Small improvements that nevertheless have merit from a security standpoint

Reporting mechanisms must be agreed upon and adhered to. These will monitor the progress on the fixes, and verify they are actually taking place. This isn’t just free money.

Why This Matters

The Sonatype report reads “…we expect that attackers will continue to target upstream software supply chain assets as a preferred path to exploiting downstream victims at scale.”

Because of the widespread use of open-source in the development of open and proprietary products, that scale is huge. Open-source has permeated the technological fabric of our modern world to an astonishing degree. In fact, that technological fabric now utterly depends on open-source.

Initiatives like sigstore and Allstar have been designed to provide help to the entire open-source movement. Other tools such as preflight are deployed at the consumer level. This new initiative complements both approaches and attacks the problem at its very root.

If you improve the code and the development infrastructure and remove the vulnerabilities there will be fewer possible exploits. That will drive down the number of compromises.

The Secure Open Source Awards isn’t a bug bounty. It’s about providing resources to tackle problems. Addressing issues in the code, hardening the CI/CD pipelines and source code repositories, and using a software artifact signing and verification scheme will transform the position open-source finds itself in.

Profile Photo for Dave McKay Dave McKay
Dave McKay first used computers when punched paper tape was in vogue, and he has been programming ever since. After over 30 years in the IT industry, he is now a full-time technology journalist. During his career, he has worked as a freelance programmer, manager of an international software development team, an IT services project manager, and, most recently, as a Data Protection Officer. His writing has been published by  howtogeek.com, cloudsavvyit.com, itenterpriser.com, and opensource.com. Dave is a Linux evangelist and open source advocate.
Read Full Bio »