Image courtesy: ITPro Today
Companies are moving up to give free tools and services to developers who maintain software projects as attackers increasingly target open-source components as a method to corrupt the software supply chain. The programme, dubbed AllStars, checks the current status of the project, development branch settings, and other properties using the GitHub API to guarantee that essential elements of the project haven’t changed.
AllStars, in conjunction with another Google tool called Scorecard, ensures that project maintainers’ security settings remain right, according to Jeff Mendoza, Google’s technical lead on Allstar. Scorecard evaluates projects based on 18 criteria, including whether they are frequently maintained, if they automatically update dependencies, and whether they employ a fuzzing system to detect easy-to-find bugs.
“Scorecard attempts to shine a light on adoption, and encourages a high score,” he says. “Allstar helps when your project or organization spans many repositories, and it’s too cumbersome to ensure all the right settings and practices are set up on every repository.”
According to Mendoza, the technology allows developers to defend their projects against persistent attacks. “With the huge popularity of open source, attackers see a compromised project as a way to infiltrate both closed and open systems,” he says. “Since open source is rarely a live running system, attacks are on the supply-chain side: either compromising the code base, or injecting a compromise somewhere between the code and where the project is built and used on other systems.”
Developers who want to use the tools should start by automating dependency updates testing with tools like Dependabot to identify software components with weak security that are included in their applications.
Will the availability of basic tools to monitor the condition of open-source software’s security be sufficient? It’s not difficult to improve the security of such components; all it takes is the proper tools and developers to utilise them, according to Mendoza.
“The supply chain attacks we have seen have been analyzed, and many could have been prevented by following existing best practices,” he says. “The solutions to these issues are neither unknown, nor difficult. The problem we see is adoption, not all projects are using the tools and procedures to achieve the highest security.”