Securing the software supply chain is a crucial issue for enterprise cybersecurity. Both the proprietary tools and the open-source code that make up this chain can hide bugs that are vectors of computer attacks. After several attacks on the software supply chain that had already made an impression (SolarWinds, Kaseya, Codecov), the zero-day bug of the most critical Log4Shell in December 2021 brought back to the fore the potential fragility of certain open-source libraries widespread in the Enterprise application development.
In the case of Log4Shell, we learned at the time that the offending project (the Apache Log4j logging library) was maintained by only three volunteers. Calls for tech giants to do more to secure open-source tools they also rely on were then multiplied… and clearly heard. Evidence of this is the Alpha-Omega project initiative, overseen by the Open Source Security Foundation (OpenSSF) and supported both technically and financially by Google and Microsoft ($5 million initial investment).
Concrete help from the Alpha Omega project
On the occasion of the OpenSSF Day Europe, which took place on Tuesday September 13th in Dublin and which the editors followed online, a conference was dedicated precisely to the Alpha-Omega project. Michael Winser, Product Manager at Google, and Michael Scovetta, Principal Security PM Manager at Microsoft, discussed the goals and achievements of this initiative, which is supported by the Linux Foundation and OpenSSF’s ambitious funding plan, which entails a total incremental investment of approximately US$150 million dollars includes .
On the one hand, the Alpha component helps the most critical open source projects, which are massively used, to improve their security. The support is financial but also technical, the Alpha-Omega team is also looking for talent to expand it. On the other hand, Omega, around 10,000 open source projects use automated methods and tools to identify critical security vulnerabilities. “We kind of clean the ocean by discovering zero-day bugs and then supporting developers who have a project to fix them,” explains Michael Scovetta.
The purpose of a standardized software bill of materials
Along with increased efforts to secure open source components where they are created and maintained, procedures must be put in place so that user organizations can hold all the cards when vulnerabilities are discovered. It would already be necessary to know exactly what projects make up a software supply chain in order to act on vulnerable code. “Transparency is key to improving supply chain security,” summarized Kate Stewart during her presentation at OpenSSF Day Europe. As Vice President for Reliable Embedded Systems at the Linux Foundation, she introduced interest in a Software Bill of Materials (SBOM), a formal inventory of the various building blocks used in the software creation process.
An SBOM must be complete and integrate open source components, libraries and modules, as well as those of proprietary tools, free or paid, the specialist emphasized. Before pointing out that the challenge at the moment is the need to standardize this type of documentation, in order not only to have the list of components, but also all the dependencies that exist between them. The main challenge is to develop inventory models that are both simple and accurate to encourage their large-scale corporate adoption. “We’re not quite there yet,” says Kate Stewart, because we still don’t have the tools to get there. A dedicated OpenSSF team, also supported by the aforementioned funding plan, is working to develop these models and practices that are accessible to any organization. Specifically, by attempting to develop “frictionless” open-source tools that generate standardized SBOMs.
#AlphaOmega #SBOM #secure #software #supply #chain