Skip to main content
banner image
venafi logo

White House Wants to Expedite Efforts on Writing Secure Code

White House Wants to Expedite Efforts on Writing Secure Code

white-house-wants-to-expedite-efforts-on-writing-secure-code
January 27, 2022 | Anastasios Arampatzis

The White House wants government and private sector organizations to expedite their efforts to secure open-source software and corresponding supply chains following the Log4J vulnerabilities that exposed critical infrastructure to threat actors' attacks. This topic was discussed during the Open Source Software Security Summit convened by the Biden administration on Thursday, January 13, 2022.

Get Fast, Easy, and Secure Enterprise-Grade Code Signing with Venafi!
Open source software security is critical

The White House Software Security Summit brought together officials from various government agencies that deal with national security and technology, like Deputy National Security Advisor Anne Neuberger and National Cyber Director Chris Inglis. They were joined by representatives from major software companies—including Akamai, Amazon, Apple, GitHub, Google, Meta, Microsoft, and RedHat—as well as members of the open source software community, such as the Apache Software Foundation and the Linux Foundation.

According to the readout of the White House meeting “The discussion focused on three topics: Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes.”

The Summit took place in the aftermath of the significant vulnerability in the Log4J logging framework for Java applications, which is widely used in enterprise applications. While the vulnerability has reportedly not yet led to a major compromise, according to US officials, the issue will likely take years to remediate because of its ubiquity.

Vulnerabilities in widespread software packages are not new. The 2014 Heartbleed vulnerability in OpenSSL and the 2018 SPECTRE and Meltdown vulnerabilities demonstrated that security issues found in ubiquitous software and firmware have a lasting impact.

“Software is ubiquitous across every sector of our economy… Most major software packages include open source software—including software used by the national security community. Open source software brings unique value, and has unique security challenges,” reads the Summit readout.

Code signing for secure code development

The summit aimed to find ways for government and industry to work together to improve the security of open source code. According to the meeting readout “participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code, like using techniques such as code signing and stronger digital identities.”

The importance of code signing is growing as the software supply chains become more complex and apps become more important for the productivity of digitally transformed businesses. Damaged or infected code can result in financial losses, large scale disruption of operations, even national security risks.

The lack of robust policies on hardening the code signing process can become troublesome and can expose organizations to a high level of avoidable and unnecessary risk. Code signing as a concept provides enough safeguards to secure the authenticity and integrity of produced apps. The problem, however, lies in the implementation details. Many organizations fail to create a root of trust, where code signing keys and certificates are protected. In addition, there is a lack of well-defined roles and responsibilities on who is approving the process.

One effective approach software teams can take is to 'sign early, sign often' on all artifacts used by the software build process. Code signing should not be leveraged only on the final product but be applied on all intermediate artifacts, including source code, build scripts, recipes, deployment containers, and third-party tools used by the development team.

“What’s important now, in a world of millions of software projects and developers, is to help scale up what used to be informal, high-trust processes along this chain into more rigorous, automatable tools and practices," says Brian Behlendorf, executive director of the Open Source Security Foundation (OpenSSF).

How Venafi is helping in secure code development

Shortly after SolarWinds became public last year, Venafi began working with leaders in the software security and software development sectors to create an open source architectural blueprint for securing software build pipelines. These controls can help measure the security of the software being developed by any organization.

To implement a “sign early, sign often” approach, businesses can leverage the controls defined by Venafi and Veracode with support from Sophos and Cloudbees. Venafi invites contributions from industry leaders, individuals and academia. To contribute to this blueprint or for more information, visit: https://github.com/Venafi/blueprint-securesoftwarepipeline.

This blueprint minimizes the risk for someone to be able to attack the supply chain, by securing the build pipelines for continuous integration and continuous deployment (CI/CD) against attacks. This is achieved by ensuring continuous authentication and software testing throughout the pipeline as the software builds, as well as in any third party software which is incorporated within.

As an example of one security control, Venafi is integrated within the GitLab environment so developers can easily sign their source code and other build artifacts without needing to know anything about PKI, code signing certificates, or code signing keys.

Related posts

Like this blog? We think you will love this.
difference-between-public-and-private-keys
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more