Contributed by Fatih Degirmenci, Ericsson
Why are we now hearing about security concerns in the software supply chain? What can we do about it? And how can you join the conversation?
Current State of Affairs
Recent attacks highlighted the importance of and the need to collaborate on addressing challenges with Software Supply Chain Security (to learn more about this topic, watch the SupplyChainSecurityCon talks). Governments, standard development organizations, and communities have started focusing on this topic to improve the situation with new announcements, guidelines, and directives published monthly. In addition to the announcements, new initiatives and projects are continuously being started.
A recent and influential announcement came from the White House, the Executive Order on Improving the Nation’s Cybersecurity, in May 2021 is interesting in many aspects. It is perhaps the first Executive Order that highlights Free and Open Source Software (FOSS) and instructs government agencies and the private sector to take necessary steps and collaborate to secure their infrastructure. The executive order is followed up by another briefing note from the White House, which includes several references to FOSS. This note summarizes the pledges made by the National Institute of Standards and Technology (NIST) and some high-tech companies to bolster the supply chain.
A more recent directive, published at the beginning of November 2021, orders federal agencies to start patching their systems for known exploited vulnerabilities. Even though this directive orders federal agencies to take necessary steps to secure their IT systems, it should be expected that open source communities and whoever uses the components developed by the communities will be impacted. Most commercial software used by these agencies contains open source components, with this action triggering upgrades of dependencies in these communities and their suppliers.
Additional examples of government responses are the India Trusted Source and EU recommendation on increasing the security of the software supply chain.
Interoperability SIG and Software Supply Chain
The CDF’s Interoperability Special Interest Group (SIG) has been working on various aspects of Software Supply Chain Security and looking for ways to contribute to broader efforts from a Continuous Integration/Continuous Delivery (CI/CD) perspective. Two topics the members of the SIG spent time working on are: metadata standardization and Policy Driven CD. The recent developments highlighted earlier and ongoing efforts in our SIG resulted in the inclusion of Software Supply Chain Security as a high priority item in the upcoming version of SIG Interoperability Roadmap which is currently being developed.
Members of the Interoperability SIG had many conversations on standardized metadata, which is related to the broader topic of Software Bill of Materials (SBOM). A prerequisite to securing a software supply chain is to know what software is used, these systems may include hundreds of components, if not thousands. It is critical to identify, document, and exchange information about all that goes into software in the form of SBOM. The National Telecommunications and Information Administration (NTIA) describes SBOM as a “formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships“.
In April 2021, Kate Stewart of SPDX joined our SIG meeting to present SPDX and have a follow-up conversation with the community. The spec developed by the SPDX community has recently been approved as ISO Standard as ISO/IEC 5962:2021 paving the way for harmonization, standardization, and more importantly, broader collaboration on SBOM within the open source ecosystem.
Another topic we have been working on within the SIG is Policy-Driven CD, which is highly critical for governance and compliance, thus Software Supply Chain Security. In addition to having conversations within the SIG, we presented this topic as part of CDF Meetup and there were multiple talks on the topic during cdCon 2021 such as Executing Policies within CD Pipelines with OPA. Anders Eknert from the Open Policy Agent (OPA) community visited us in June 2021, presenting OPA to members of the SIG.
Upcoming Discussions
The other Software Supply Chain Security topics we would like to start discussing and exploring further within the SIG are software integrity, provenance, and image signing, as well as the relations of these topics to the CI/CD domain in collaboration with other communities such as in-toto, sigstore, OpenSSF and so on.
November 18
Santiago Torres-Arias will present the in-toto framework.
(Interoperability SIG Meeting Details)
▶️ Watch the recording here
December 2
Dan Lorenc presenting sigstore.
Join at at 16:00 UTC (Interoperability SIG Meeting Details)
Join the Conversation
CDF SIG Interoperability looks at potential ways to contribute to the seamless working of CI/CD technologies and the technologies used in the software supply chain. Security of the software supply chain is paramount and as contributors to open source communities, we have many opportunities to help address the challenges in a collaborative manner.
Please join us to discuss, collaborate, and contribute to SIG Interoperability and the broader CI/CD ecosystem in CDF.
Meeting logistics are available here. Please sign up to the Interoperability SIG’s Mailing list to take part in conversations and learn about upcoming discussions and presentations. We look forward to seeing you there!