Real-world supply chains can involve planes, ocean freighters, trains, trucks, and even bike couriers. So it’s no surprise that software supply chains also involve a wide variety of complementary production, distribution, and deployment channels.
One of the challenges with securing software supply chains is that solutions must be combined to address each conduit supporting the entire chain. Patching the libraries your software engineers copied into your final build is insufficient—you must also consider your base images, the packages and platforms brought in via provisioning scripts, and even possibly plugins deployed by admins post-deployment!
Unfortunately, these disparate channels often have different weaknesses and vulnerabilities and require different security approaches.
Watch this webinar with our special guest speaker and expert in open-source software ecosystems, John Speed Meyers, and the vulnerability scanning implementor, Julius Musseau, as they discuss the important perspectives on software supply chains.
What they will go through:
- An understanding of today’s sophisticated and multi-channel software supply chains
- What are the risks, and how to manage them
- Software Supply chains security best practices
Take a look at the big picture and discuss specific techniques tailored to protect some of these critical pieces better.
Open Source Research
A lot of people will claim that open source is everywhere, but how much open source software is actually out there? In this paper, we propose a methodology and associated tool that can analyze Java binaries and determine the proportion of open source that comprises them.
The result of our research shows that around 80 to 90% of the software is made from open source.
Evaluating Different Software Sources
The conversation explores three categories of software sources: repositories, distros (e.g., Debian, Ubuntu), and upstream sources (e.g., Apache). While each category presents its own challenges, the speakers express their concern primarily with repositories. Repositories are diverse and prioritize convenience, aiming for a low barrier to entry.
This characteristic introduces potential vulnerabilities due to the extensive network effect and the large number of maintainers involved. In contrast, distros and upstream sources often demonstrate a deeper understanding of security, shared goals, and expertise.
When asked to choose the most worrisome category among repositories, distros, and upstream sources, the speakers share their perspective. They express the highest level of concern for repositories, followed by upstream sources and distros.
Repositories’ diverse nature, coupled with a focus on convenience, increases the fragility of the software supply chain. On the other hand, distros and upstream sources involve more vetting, auditing, and social forces, which provide an additional layer of security.
Challenges in Defining Software Supply Chain Security
The speakers discuss the ongoing efforts to cope with the widespread dependence on open-source software and the recurring nature of these challenges. They acknowledge that a perfect solution may never exist and that different stages of coping and adapting will continue to evolve.
Despite the chaotic landscape, there is a shared alignment towards improving software supply chain security.
Contemplating Software Supply Chain Attacks
In a hypothetical scenario, the speakers consider how one could attack the software supply chain for criminal profit. They explore different avenues, such as exploiting outdated Microsoft systems prevalent in certain organizations or using social engineering tactics to compromise popular libraries.
The discussion highlights the importance of securing the software supply chain to prevent such attacks and the potential impact they can have.