As we head to the Open Source Summit conference next week, we wanted to discuss our contributions to the open source community, why we invest so much in research and open source projects, and why the open source community is so important to the future of software supply chain security.
Why We contribute Heavily to The Open Source community
A key part of Legit Security’s mission is to contribute to the security community because (a) we believe this is a global threat that requires the participation and agreement of the community; and (b) software supply-chain security should be applied everywhere and encompass the broader landscape to successfully remove the threats.
We are witnessing a rise in software supply-chain attacks that have already made global headlines with the log4shell, Kaseya and of course the infamous SolarWinds which was the largest known targeted breach delivered by malicious software. Growing distrust in software components and vendors gave rise to many initiatives that aim to help the global community.
Our world runs on software and flourishes because of software. One example to consider is just how much development relies on open-source components, and how much it makes development better and faster. Supply chain attacks endanger all these benefits. To keep thriving, the security and development community has launched several initiatives to tackle these.
In February 2021, the US government issued an executive order that led to the definition of NIST Secure Software Development Framework. Around the same time, Google published their SLSA framework which defines a holistic level-based mechanism for securing the integrity of software releases.
One of the most active organizations on this front is the Open-Source Security foundation (OSSF) which launched multiple initiatives (including the maintenance and development of SLSA) to contribute to software supply chain security.
It is an integral part of Legit Security’s corporate mission statement to contribute to these initiatives and secure every organization's software factory by protecting the pipelines, infrastructure, code and people for faster and more secure software releases. We’ll summarize some of the initiatives where we are supporting the security community and contributing work.
Research of Security Vulnerabilities and Securing Open Source Projects
Part of our corporate mission is to increase software security and pipeline integrity in the open-source community. We continuously examine popular CI/CD services and look for security holes that might expose their users to cyberattacks. We aim to discover and disclose dangerous weaknesses before malicious actors find them and proactively prevent as many software supply chain attacks as possible.
For example, we recently investigated GitHub Actions and found multiple vulnerabilities in some popular patterns of code found on workflows (GitHub’s CI/CD script) pertaining to many popular open-source projects. We contacted various GitHub organizations that we found susceptible to the discovered vulnerabilities. Many of them managed to fix the issues right away, such as Apache and Nginx. You can read more about our “Vulnerable GitHub Actions Workflows” series, Part I and Part II. More episodes will be published soon after the related security issues are fixed.
Our contribution to community open source projects
Once our research yields a newly discovered attack surface, we put effort into understanding how to prevent the attack, reduce its blast radius and remediate affected assets. We publish our suggestions and recommendations as part of our technical disclosure blog posts, and additionally, we contribute to open-source community projects that address the same area which we found to be vulnerable. An example of such a case is when we found that a privilege escalation attack could be triggered inside workflow patterns that an adversary might have exploited to initiate a supply chain attack. We contributed to OpenSSF’s scorecard repository, to help increase education and expand the OSSF’s toolset capabilities which revolve around software supply chain security.
While contributing to existing open-source projects is vital, we also believe there are various weak spots in the SDLC that the open-source community hasn't addressed yet, and we are working on a few valuable software supply chain security tools we thought should be made publicly available to the world. We've started developing a tool that would help GitHub organizations across the globe secure all their assets quickly and easily. More updates will become available soon.
Adoption of Community Models in our Security Platform (Scorecard, SLSA, Etc.)
Legit Security intends to be at the forefront in implementing security models and frameworks developed by the security community that are destined to become the next industry standard. Today, there are three examples that we are actively implementing:
- Legit Security’s policies and detections are derived from NIST SSDF, SLSA, and others. Organizations can, out-of-the-box, measure their risk posture based on frameworks that are curated daily from best practices by the industry.
- Legit Security is building integrity mechanisms compliant with these frameworks – a holistic zero-trust approach that can secure an organization’s pipelines and provide attestation using checks and signatures. One prominent example of this is to generate, or verify, the existence of a standardized SBOM.
- Legit Security has adopted the concept of an OSSF Scorecard into privately developed code repositories to promote security maturity and risk scoring for an organization
Open Source Security Tools Released by Legit Security
While contributing to existing open-source projects is vital, we also believe there are many weak spots in SDLC security that the open-source community hasn’t addressed yet. The Legit Security team is working on valuable software supply chain security tools that we think should be made publicly available to the world. For example, we’ve started developing an open source security tool that would help GitHub organizations across the globe secure all their assets more quickly and easily. More updates on this open source tool and others like it will available soon.
Protecting Our customers and the community
Legit Security aims to be the leading software supply chain security platform for enterprise customers, but we also believe in the responsibility to support and protect the broader security community for the benefit of all. We continuously seek to discover new vulnerabilities and attack vectors for responsible disclosure, support and contribute to ongoing open source initiatives, offer our own open source security tools for community use, and develop our platform leveraging guidelines and frameworks supported by industry standards. We believe that the next evolution of securing software development is well underway, and we are thrilled to be part of this journey together with the security community.