Open source repositories such as PyPI, Maven Java repository, and Node Package Manager (npm) for JavaScript are facing challenges in managing and securing their infrastructure due to the significant volume of malicious users and projects created daily. The skeleton crew of engineers and volunteers managing these platforms cannot keep up with the speed of the outpacing security review teams’ capacity to address the situation. The increasing attention that the software supply chain has garnered from attackers continues to raise concerns, says Tim Mackey, head of software supply chain risk strategy at software integrity firm Synopsys.
Attackers who want to compromise a JavaScript application or a Python application at scale could gain control over significant elements of a repository. Thus, the development organizations that consume Python code, Node code, or Java code usually have implicit trust that the repository is doing the right thing. But the reality is, repositories need to keep malicious packages and users out of the software application, which requires a comprehensive solution beyond technology.
Efforts are underway to reduce the work on maintainers and repositories’ infrastructure staff, such as the OpenSSF Scorecard hosted by the Open Software Security Foundation, which runs automated checks against developers’ code and open source projects to gauge the risk of malicious maintainers, compromises of the source code or build system, and malicious packages. The Scorecard serves as a risk management tool, and companies can be deliberate about what they are linking in their supply chain by looking at specific signals.
Another technology, known as sigstore, allows developers and maintainers to sign their code easily to enable end-users to trust the provenance of the code. The project makes digitally signing source code easier because individual developers do not have to manage their cryptographic infrastructure. Python has a package to help developers generate and verify code signatures using sigstore, and GitHub is also working on a plan for developers who use npm to adopt sigstore.
Regardless of how good the tools are, software repositories need more funding and more security professionals on staff to secure the software supply chain. Suggestions to put automated tools in the pipeline to check all packages as they are uploaded for malware may not be effective, as they can result in false positives that require manual reviews, which can impose a huge operational overhead.
Industry investment in the open-source ecosystem has increased with the focus on securing the software supply chain. The OpenSSF’s Alpha-Omega Project aims to secure critical projects and now has a security developer-in-residence for the Python Software Foundation, while Amazon Web Services has donated to PyPI to create a Safety & Security Engineer role.
As open source software has become clearly recognized as critical infrastructure, government investment has also increased. In March, the Biden-Harris administration announced its National Cybersecurity Strategy, which seeks to hold companies liable for software products. The previous White House meetings and guidance aimed to increase support for securing open source projects.
In the short term, more bodies, not necessarily more technology, are needed to solve many of the problems, according to Synopsys’ Mackey. The Python model’s human review cycle, to a certain extent, can limit the scope of damage for some of these malicious activities. Therefore, software repositories need to invest in more human resources and processes to solve the current challenges they face.