Is Your Software Supply Chain Secure? Introducing the Linux Foundation’s New Open Source Signing Tool
In the wake of the Meltdown and Spectre vulnerabilities, the Linux Foundation decided it was time to develop an open-source signing tool that makes secure software supply chains universal across all operating systems, processors, and hardware architectures. The new tool, dubbed The Linux Foundation Key Signing Key (KSK), will give companies more assurance that their applications and devices have not been tampered with during any stage of their software supply chain. Since its launch in September 2017, over 600 companies have signed up to use KSK to sign firmware images and other software code before they are distributed to end users.
What is a secure supply chain?
Secure supply chains start with software repositories. Updating software to deal with security vulnerabilities and threats can be time-consuming, difficult, and potentially expensive. Therefore, it is essential to ensure that you have a secure software supply chain. As such, here are some tips for building a more secure software supply chain:
- Implement proper dependency management by evaluating the dependencies for your source code packages (e.g., libraries) to determine if any of those packages are known risky or vulnerable ones that you should avoid in your deployment process.
The problem of integrity checking for software
We know how hard it is to build and maintain secure software supply chains. The software industry needs a way to securely store, manage, and leverage digital signatures for software programs, but due to its decentralization, the industry has never been able to find a single way of accomplishing this. Now is your chance!
The Linux Foundation is launching a new open source project called Erosion-Resistant Open Software Supply Chains (EROSSC) that will make it possible for anyone in the world to create software using this toolkit and enjoy guarantees that their security can be verified by a third party.
How does this relate to blockchain?
When we use a product like Microsoft Word, Mac OS X or Android, we are most likely using software that was built on an open source foundation. Unfortunately this software is often not secure as there are many instances of malware and ransomware attacking users through these programs. In response to this demand for more security, The Linux Foundation has released their new signing tool Signtool-LF which uses blockchain technology to allow people to get signatures that confirm who created what code and when. That way if someone tries to introduce a piece of malicious code, you can see exactly when it was added in the timeline.
What has the Linux Foundation done about it?
The new open source signing tool from the Linux Foundation has just been announced and it seems to be a game changer for protecting software supply chains. Simply put, this program will allow developers to create their own signature and digital key in order to sign their code – no external keys are needed.
One way you can start taking your software supply chain more seriously is by seeking out and assessing which versions of embedded devices have vulnerabilities (insecure configurations or unpatched security holes). That way, you’ll know what devices are most at risk. These kind of basic assessments should be done regularly to ensure that everything stays up-to-date.
The ultimate goal here is making your entire supply chain as secure as possible.
What can you do about it now?
First and foremost, it should be noted that an open source signing tool is not a security solution, said Christian Lane, Technical Director at Google. There is no such thing as a silver bullet in this area. We recommend companies implement strong defense-in-depth strategies which have been proven to be effective. We also recommend training employees on secure practices and securing any services you run on-premises or in the cloud.