Citi gives software supply chain security kit to OpenSSF
The financial services company's prototype system based on CNCF's software supply chain security guidelines joins OpenSSF's $150 million open source standards campaign.
A series of software supply chain security standards efforts under the Open Source Security Foundation have emerged this month as the open source community races to get ahead of mounting cyber attacks.
The latest is Secure Software Factory, a prototype toolchain created by financial services company Citi. It combines open source projects such as Tekton and Kyverno to follow a set of best practices established by a Cloud Native Computing Foundation (CNCF) white paper last year. Citi donated Secure Software Factory this week to the OpenSSF, a Linux Foundation subgroup created to foster open source security projects such as Sigstore and Google's Supply chain Levels for Software Artifacts (SLSA).
CNCF's reference architecture didn't specify what tools to use, which prompted Citi engineers to develop the Secure Software Factory project, a reusable package of open source tools that meet the CNCF's best practices requirements.
Michael Lieberman
"We would like to make it into [a set] of secure defaults, a secure-by-design system tied together and implemented in a way where you can just start using it," said Michael Lieberman, a senior software supply chain security engineer at Citi until recently, in an interview this week.
The project is still at an early stage, deployed through a GNU Make file, but further deployment tooling is in development, he said. OpenSSF is also seeking to add contributors to the project.
This will be key to making the tools a practical means of addressing the wider problem of software supply chain security, analysts said.
"I like the Citi contribution -- it translates a set of capabilities into a real-world implementation," said Larry Carvalho, an independent analyst at RobustCloud. "But it will need many more contributions to become generally beneficial to the community -- more companies need to participate in open source, the way Boeing, Fidelity and Citi do."
OpenSSF seeks further support for supply chain standards
Seeking further contributions has been a theme this month for OpenSSF -- namely, financial contributions. Members of the organization met with the Biden administration May 12 and issued a call for funding from both private sector companies and the U.S. government to shore up software supply chain security.
OpenSSF released a white paper proposal, a 10-point Software Supply Chain Security Mobilization Plan, on May 13 that outlined the $150 million budget it said would be required to substantially improve open source software supply chain security over the next two years. The OpenSSF has raised a total of $45 million in funding to date, $30 million of it contributed this month by companies including Amazon, Ericsson, Google, Intel, Microsoft and VMware to support the new mobilization plan.
That plan, and open source security in general, were hot topics as KubeCon EU kicked off this week.
"Open source software is a permanent feature of how modern software gets developed, with thousands of different components that get combined together," said Jim Zemlin, executive director of the Linux Foundation, during a media discussion about the OpenSSF's mobilization plan at KubeCon EU. "In 2022, it's insane that we don't have cryptographic signatures for those packages -- it's just too easy of an attack vector."
The OpenSSF's proposals include a public risk assessment dashboard for the top 10,000 most-used open source components. The plan would add a yearly third-party code review and remediation work on 200 of the components deemed most critical. It would also promote the adoption of digital signatures on open source software components, which makes them more difficult to replace with malicious code packages.
During a KubeCon media panel session, early enterprise adopters of cloud-native infrastructure said digital signing standards would be helpful.
Currently there is no open standard for verifying that a [container] image is really from a vendor. As a telco it would be great if we had a standard for that we can verify.
Christopher DziombaDevOps engineer, Deutsche Telekom
"Currently there is no open standard for verifying that a [container] image is really from a vendor -- the only option is to do something with Open Policy Agent or Kyverno," said Christopher Dziomba, DevOps engineer at Deutsche Telekom. "As a telco, it would be great if we had a standard for that we can verify with the vendor."
It's too easy for developers solving specific problems to pick up small pieces of functionality created by single maintainers in the community that don't come with a software bill of materials, said Guy Templeton, software engineer at travel tech company Skyscanner.
"Anything that makes it easier for developers to integrate that kind of thing into their workflow would make our security team happier," he said.
Cybersecurity and DevSecOps have generated plenty of buzz over the last four years without stemming an ever-rising tide of worsening cyber attacks, but industry watchers said the OpenSSF seems like a more promising effort than most.
Fernando Montenegro
"We don't know yet what the meaningful impact will be, but I'm optimistic," said Fernando Montenegro, senior principal analyst at Omdia. "It's clear software supply chain security has become more important among large service providers and higher levels of community and government organizations."
A community working together, as OpenSSF and CNCF seem to be, can potentially mitigate not just specific vulnerabilities but an entire class of vulnerabilities like those found in the software supply chain, Montenegro said.
"At the same time, it's still up to users to ensure they have the right view of software assets, their security build process and that they come from the right registry," he said. "Just using open source doesn't absolve you of responsibility for your own systems."
Lieberman said he's talked with code maintainers from Red Hat about how to slot OpenShift Pipelines into the Secure Software Factory model; the company also previewed coming integration with Tekton Chains for OpenShift at Red Hat Summit this month, and executives, including CEO Paul Cormier, emphasized the need for such secure defaults in enterprise products. Red Hat has not commented publicly on whether it will work with the Secure Software Factory project.
So far, the Secure Software Factory package consists of Kubernetes for infrastructure, Kyverno cluster admission controller, Tekton Pipelines for event-driven CI/CD, the Tekton Chains experimental integration with the Sigstore software supply chain attestation project, and the SPIFFE/SPIRE identity management project. It also includes Sigstore's Cosign container signing, verification and storage tooling; Sigstore's Rekor metadata ledger; the Crane open source Go library that presents an immutable view of container images; GNU Make to build and install software packages; and Google's CUE language for parts of system and policy configuration.
Meanwhile, Google unveiled its own software supply chain security product this week called Assured Open Source Software (Assured OSS). Assured OSS, which is due out in the third quarter of 2022, will handle the attestation and signing process for open source packages as a service.
But not every security-conscious enterprise can use SaaS, Lieberman said in a demo presentation of the Secure Software Factory during KubeCon EU this week.
"Some of the best practices for supply chain security today can be enforced in various SaaS build tools, but that often doesn't fit the needs of some organizations and projects," he said. "This is also an issue for folks who are required to enforce policies that are not supported by some of these other tools -- Secure Software Factory tries to help out here by enforcing policy at multiple different levels."
This isn't the only area where still-coalescing efforts for open source software supply chain security standards overlap. Microsoft Azure principal program manager Hector Linares presented at Cloud Native SecurityCon, a co-located event at KubeCon EU this week, about an Internet Engineering Task Force project called SCITT (Supply Chain Integrity, Transparency and Trust) that has similarities to Sigstore, such as using a metadata ledger to track software attestations.
OpenSSF officials declined to comment on whether that project will be incorporated into its software supply chain security plans.
Linares acknowledged some overlap between SCITT and Sigstore during a Q&A session at SecurityCon and said there could be efforts to see how the two projects could cooperate.
"As of right now, they're separate, but it's something that we need to also look at and investigate, because there are some similarities there," Linares said.
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.
Michael Lieberman
Fernando Montenegro
