The White House wants government and private sector organizations to expedite their efforts to secure open-source software and corresponding supply chains following the Log4J vulnerabilities that exposed critical infrastructure to threat actors' attacks. This topic was discussed during the Open Source Software Security Summit convened by the Biden administration on Thursday, January 13, 2022.
The White House Software Security Summit brought together officials from various government agencies that deal with national security and technology, like Deputy National Security Advisor Anne Neuberger and National Cyber Director Chris Inglis. They were joined by representatives from major software companies—including Akamai, Amazon, Apple, GitHub, Google, Meta, Microsoft, and RedHat—as well as members of the open source software community, such as the Apache Software Foundation and the Linux Foundation.
According to the readout of the White House meeting “The discussion focused on three topics: Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes.”
The Summit took place in the aftermath of the significant vulnerability in the Log4J logging framework for Java applications, which is widely used in enterprise applications. While the vulnerability has reportedly not yet led to a major compromise, according to US officials, the issue will likely take years to remediate because of its ubiquity.
Vulnerabilities in widespread software packages are not new. The 2014 Heartbleed vulnerability in OpenSSL and the 2018 SPECTRE and Meltdown vulnerabilities demonstrated that security issues found in ubiquitous software and firmware have a lasting impact.
“Software is ubiquitous across every sector of our economy… Most major software packages include open source software—including software used by the national security community. Open source software brings unique value, and has unique security challenges,” reads the Summit readout.
The summit aimed to find ways for government and industry to work together to improve the security of open source code. According to the meeting readout “participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code, like using techniques such as code signing and stronger digital identities.”
The importance of code signing is growing as the software supply chains become more complex and apps become more important for the productivity of digitally transformed businesses. Damaged or infected code can result in financial losses, large scale disruption of operations, even national security risks.
The lack of robust policies on hardening the code signing process can become troublesome and can expose organizations to a high level of avoidable and unnecessary risk. Code signing as a concept provides enough safeguards to secure the authenticity and integrity of produced apps. The problem, however, lies in the implementation details. Many organizations fail to create a root of trust, where code signing keys and certificates are protected. In addition, there is a lack of well-defined roles and responsibilities on who is approving the process.
One effective approach software teams can take is to 'sign early, sign often' on all artifacts used by the software build process. Code signing should not be leveraged only on the final product but be applied on all intermediate artifacts, including source code, build scripts, recipes, deployment containers, and third-party tools used by the development team.
“What’s important now, in a world of millions of software projects and developers, is to help scale up what used to be informal, high-trust processes along this chain into more rigorous, automatable tools and practices," says Brian Behlendorf, executive director of the Open Source Security Foundation (OpenSSF).
Shortly after SolarWinds became public last year, Venafi began working with leaders in the software security and software development sectors to create an open source architectural blueprint for securing software build pipelines. These controls can help measure the security of the software being developed by any organization.
To implement a “sign early, sign often” approach, businesses can leverage the controls defined by Venafi and Veracode with support from Sophos and Cloudbees. Venafi invites contributions from industry leaders, individuals and academia. To contribute to this blueprint or for more information, visit: https://github.com/Venafi/blueprint-securesoftwarepipeline.
This blueprint minimizes the risk for someone to be able to attack the supply chain, by securing the build pipelines for continuous integration and continuous deployment (CI/CD) against attacks. This is achieved by ensuring continuous authentication and software testing throughout the pipeline as the software builds, as well as in any third party software which is incorporated within.
As an example of one security control, Venafi is integrated within the GitLab environment so developers can easily sign their source code and other build artifacts without needing to know anything about PKI, code signing certificates, or code signing keys.