- Google and GitLab products help protect the open-source eco-system.
- Open-source software dependencies make ideal target for hackers.
- Supply chain attacks ideal for maximum-effect hacking.
Two giants of the technology world have published separate tools that help companies developing software produce safer, more secure and accountable products.
Google’s open-source security team (GOSST) has announced OSS Rebuild, a project that builds well-known and freely-available software, and compares its results with that which appears in commonly-frequented repositories. If its version corresponds exactly with what’s available, it publishes its build definition, establishing provenance according to the standards set by the Linux Foundation’s SLSA Provenance scheme.
The latest release of GitLab 18.2 introduces two new features: Security Inventory and Dependency Path visualisation. The former gives organisations an overview of all projects housed on GitLab with a view of projects that are covered by security scans, and those which are under-protected or un-scanned. Dependency Path digs down into software projects, and follows dependency trails to catalogue every component, and therefore helping identify where to begin to fix a problem.
Follow the dependency trail
To understand the complexity of the typical software supply chain, it’s necessary to understand break down an average application into as many component parts as possible.
For each step and element, developers either write code to crack a particular problem (if no one has done so before, or done so but not in ways that make sense in the current context), or ‘pull in’ dependencies from the internet’s many repositories of software.
Using ready-made libraries, code bases, and frameworks makes sense, especially when no developer can be expected to be an expert on every single aspect of software. Encryption, for example, is one area that developers should never try and ‘reinvent the wheel’ – better minds than most have created safe and secure encryption algorithms, and attempts to do better usually fail.
It’s worth noting, however, that dependencies often make use of dependencies of their own, and those in turn rely on more dependencies, in a structure akin to a Russian doll.
Additionally, many applications or their dependencies will make use of the same dependencies, libraries or code snippets – after all, displaying an image on a screen, for example, is hardly a unique event for a software application, so applications sharing code elements is less complicated than several versions of software that do the same thing co-existing under the hood.
Keeping OSS safe
In this complex picture, identifying the source of a rogue element can be difficult, if not impossible. The GitLab platform update gives organisations a catalogue of the elements that make up each software project that’s in development, and helps focus down on problem components, and crucially, where they might have come from.
The Google OSS Rebuild project will be building well-known software found in common code repositories PyPI (Python), npm (JavaScript and TypeScript), and Crates.io (Rust), and ensuring that there is an evolving list of software that has an accepted ‘gold standard’ and can be relied on.
According to Google, around 80% of the world’s software is open-source, a proportion that’s increasing. Bad actors will always try and target popular platforms – the more devices they can affect, the more effective an attack. As open-source software and its myriad elements continue to grow in number and complexity, protecting the supply chain becomes more difficult without smart tools.
(Image source: “Shoring up the shoulder” by OregonDOT is licensed under CC BY 2.0.)
