Google Created ‘Open-Source Maintenance Crew’ to Help Secure Critical Projects


Source: The Hacker News
Published: May 13, 2022
 
Google has announced the creation of a new “Open Source Maintenance Crew” to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out Open Source Insights as a tool for analyzing packages and their dependency graphs, using it to determine “whether a vulnerability in a dependency might affect your code.” “With this information, developers can understand how their software is put together and the consequences to changes in their dependencies,” the company said. The development comes as security and trust in the open source software ecosystem has been increasingly thrown into question in the aftermath of a string of supply chain attacks designed to compromise developer workflows.

Source: Google Created ‘Open-Source Maintenance Crew’ to Help Secure Critical Projects

CISA Official Renews Call for SBOMs to Help Software, Supply Chain Security

Source: CISA Official Renews Call for SBOMs to Help Software, Supply Chain Security – MeriTalk

Wider use of software bills of materials (SBOM) requirements represents a key building block in software security and software supply chain risk management that Federal agencies need to increasingly rely on going forward, an official from the Cybersecurity and Infrastructure Security Agency (CISA) said today.

Allan Friedman, a senior advisor and strategist for CISA, explained that software packages typically include an extensive number of third-party components, and that Federal agencies must actively watch and manage each one to preserve security and functionality.

“To that end, it’s critical for the Federal government to move towards frequent utilization of an SBOM to keep track of these components. This machine-readable list comprises the various dependencies and elements of a piece of software,” Friedman said at a virtual event hosted by GovExec.

An SBOM also constitutes a formal record containing the details and supply chain relationships of various components used in building the software.

The drive for SBOMs has gained steam since May 2021, when the Biden administration released an executive order emphasizing SBOMs as a way of boosting the nation’s cybersecurity. Since then, the National Telecommunications and Information Administration (NTIA) has sought comment on what to include in SBOMs, and CISA leadership has called for SBOMs to aid in system visibility and inventory management following disclosure of the Log4J vulnerability earlier this year.

Friedman said today that SBOM implementation in the Federal space remains new and emerging. And while there is no reason organizations cannot use SBOM today, “we cannot assume universal full automation and integration,” he said.

Moving forward, Friedman listed three main goals in the government’s broader SBOM initiative:

  • Make SBOM generation an expectation in the marketplace;
  • Make SBOM generation easier and cheaper, at scale; and
  • Enable efficient and effective SBOM data consumption.

Additionally, Friedman explained that CISA will advance the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. He also explained that “continued industry leadership is needed to guide SBOM investment, standards, and policy.”

Friedman acknowledged that transparency will not solve all security problems, but “without transparency, it will be very hard to solve any security problems.”

One Year In: The Executive Order and Securing Software Supply Chains

One Year In: The Executive Order and Securing Software Supply Chains

In response to the Executive Order on Improving the Nation’s Cybersecurity published in May 2021, new mandates call for accelerating the adoption of secure open source software (OSS) and commercial off-the-shelf solutions to speed software delivery from years to minutes. Additionally, the National Institute of Standards and Technology (NIST) has provided updated guidance for strengthening the security of critical software purchased by U.S. federal government programs from industry software suppliers and partners. 

Join ATARC and government and private sector experts working across Federal defense agencies as they cover:

  • Key insights from the Executive Order on Cybersecurity
  • Latest directives from the DoD, NIST, and other Federal agencies on using and securing OSS
  • Role of the software bill of materials (SBOM) in securing your software supply chain

Register here: One Year In: the Executive Order and Securing Software Supply Chains – ATARC

Managing Trustworthiness & Dependability of Systems Acquired Via Supply Chain

Presented by

Dr. Bill Curtis, Executive Director, CISQ | Robert Martin, Sr. Software and Supply Chain Assurance Principal Eng., MITRE

Register: Managing Trustworthiness & Dependability of Systems Acquired Via Supply Chain (brighttalk.com)

About this talk

Join the Consortium of Information and Software Quality (CISQ) on April 6th, 2022, 3:00pm CST – 4:00pm CST to learn how to manage the trustworthiness and dependability of systems acquired through your supply chain. Learning Objectives: – Learn how to leverage CISQ measures to reduce risk in your contacts & SLAs – How to certify software and its level of risk – How to manage the quality of the software you are receiving from a supply chain – Learn about the use of Software Bill of Materials (SBOM) in a software supply chain

A cyber attack at the Patent Office led to increased eyes on supply chain risk

Many people think of cybersecurity as threats coming from the outside, but with the government relying on private companies to provide hardware and software, the very tools that agencies use could be a threat within themselves.

Supply chain issues are wracking the nation, but the government is also thinking about its supply chain in terms of what companies are providing goods and services.

The U.S. Patent Office is one organization that pays particularly close attention to supply chain issues in order to keep clients proprietary information safe. Just recently, the Patent Office found a zero day vulnerability in one of its logging libraries, according to Stephan Mitchev, director of the Office of Application Engineering and Development and acting chief technology officer at the Patent Office.

That infiltration caused the office to look harder at its supply chain to see what could have been infected.

A cyber attack at the Patent Office led to increased eyes on supply chain risk | Federal News Network

Cybersecurity Threats in The Cloud Software Supply Chain

January 20, 2022 — Cybersecurity Threats in the Cloud Software Supply Chain

Register now for ATARC’s Cybersecurity Threats in the Cloud Software Supply Chain event on January 20, 2022, from 1:30 PM – 2:30 PM ET. High-profile software supply chain attacks, such as SolarWinds and Kaseya VSA, have shed a glaring light on the disparity between agencies’ perceptions of security within their cloud infrastructure and the reality of supply chain threats that can impact business catastrophically. Tune in to this panel to hear what topic experts have to say on threat assessment within the cloud, and how the Executive Order impacted agencies’ cloud security practices. Register here.

What are Weak Links in the Node.js Package Manager (NPM) Supply Chain?

What are Weak Links in the npm Supply Chain?

ArXiv.org

Abstract

Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software’s supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks.

The goal of this work is to help software developers and security specialists identify weak links in a software supply chain by empirically studying npm package metadata.

In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages. We propose six signals of a security weakness in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers. Our analysis identified 11 malicious packages from the install scripts signal. We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts.

We obtained feedback on our weak link signals through a survey responded to by 470 npm package developers. The majority of the developers supported three out of our six proposed weak link signals. The developers also indicated that they would want to be notified about weak links signals before using third-party packages. Additionally, we discussed eight new signals suggested by package developers.

On the Feasibility of Detecting Software Supply Chain Attacks

Published in: MILCOM 2021 – 2021 IEEE Military Communications Conference (MILCOM)

Date of Conference: 29 Nov.-2 Dec. 2021

Abstract

The Supply chain attack is the stealthy and sophisticated cyberattack that aims to compromise a target by exploiting weaknesses and vulnerabilities in its supply chain. Recent supply chain attacks (e.g., SolarWinds attack) have compromised some of the most secured IT infrastructures of government agencies and enterprises. The European Union Agency for Cybersecurity, ENISA, has predicted that there will be 3 times more supply chain attacks in 2021 than in 2020. In this paper, we look into the problem of supply chain attacks, the challenges of defending software supply chain attacks. We analyze what it takes to effectively prevent software supply chain attacks, and show that it is indeed feasible and practical for the customers to detect certain software supply chain attacks. We propose an information flow based detection approach that enables end users to detect many software supply chain attacks without dealing with any of the underlying software suppliers.

Log4j Highlights Need for Better Handle on Software Dependencies

Dark Reading
January 3, 2022

Log4j Highlights Need for Better Handle on Software Dependencies

It’s a new year and the cybersecurity community now faces the long-term consequences of yet another software supply chain security nightmare. After a year full of application security zero-day fallout, the Log4j vulnerability debacle (also referred to as Log4Shell) was like a thematic bookend for 2021 that closed out the year much in the way SolarWinds started it. The real-world consequences of these incidents schooled enterprise IT teams in too many ways to count. But perhaps the most important lesson to bubble up is how much work many organizations need to do to truly understand and manage what code is running under the hood across their software portfolios. Like the SolarWinds incident before it, the Log4j fiasco highlighted how many hidden software dependencies exist in enterprise software — and how hard it is to stamp out critical underlying flaws when these dependencies aren’t sufficiently understood.

Commerce Proposes New Software Supply Chain Safety Criteria

Commerce Proposes New Software Supply Chain Safety Criteria – MeriTalk

The Department of Commerce is proposing new safety criteria for connected software to help better secure information and communications technology and services (ICTS) supply chains, including potential third-party audits of connected software and ICTS transactions, according to a proposed rule posted to the Federal Register Nov. 26.

The Department of Commerce is seeking feedback on the rule in its entirety but is also specifically looking for feedback on how to define what is a “reliable third-party” for the purposes of the rule. The agency also wants to know if its criteria of “third-party auditing of connected software applications” is sufficiently descriptive or whether the agency needs to get more specific.

The agency will accept public comment on the proposed rule until Dec. 30.