The importance of improving supply chain security in open source

Over the past several years—and the past year in particular—supply chain security in the open source ecosystem has become a large point of focus for the broader open source community—including the many companies and governments that rely on open source software.

As an industry and community, we have seen bad actors take over user accounts, corrupt popular open source dependencies, and take advantage of vulnerabilities in some of the biggest open source projects.

It’s no secret that a lot of our modern digital infrastructure runs on open source. The success of open source software (OSS), in part, comes down to the speed at which it’s developed by a global community of developers. But this speed can come at a cost if developers inherit the vulnerabilities in their supply chain.

At GitHub, we think a lot about a high-profile supply chain attack that might cause developers, teams, and organizations to lose trust in open source—because we know firsthand how important OSS is and how integral it will continue to be. We also know that staying on top of open source vulnerabilities can be a full-time job.

That’s why we’re investing in new ways to protect the supply chain that make it easier for security researchers to more effectively disclose vulnerabilities to developers, and make it easier for developers to verify the software they are installing is genuine. From the GitHub Security Lab to tools like Dependabot to GitHub Advanced Security, we’re working to help developers and companies monitor, alert, and automatically remediate vulnerabilities in OSS—and software more broadly—as soon they’re discovered. That’s why we offer security tools like Dependabot, code scanning, and secret scanning for free to developers on GitHub.

This is an important capability that effectively mitigates known vulnerabilities, but it’s not the only thing you need to do to protect your supply chain. Sophisticated attackers are increasingly attacking aspects of the supply chain to try to gain an advantage. A newer kind of risk is supply chain attacks. Recall the Solarwinds attack a few years back where an attacker injected malware into software from a company called Solarwinds which was a commercial developer dependency. By breaching the supply chain of a popular component, they were able to leverage this malicious code to attack a large number of additional targets.

At GitHub, we’re partnering with leaders in open source and security like the Open Source Security Foundation to help protect the supply chain against attacks by adding new kinds of signing, attestations, and policies to help developers install only safe dependencies. Whether you’re working in open source or at a company (or both), you can do your part to mitigate supply chain risks today by implementing current best practices.

What to watch

A greater commitment to securing OSS from companies, open source developers, and even governments that collectively rely on open source solutions. We also anticipate more advances in security alerting tool threat detection capabilities and a focus on shifting left to build more secure code from the start through tools like GitHub Advanced Security.

Written by

Justin Hutchings

@jhutchings1@github.com

Director of Product Management for supply chain security. I manage the team that's behind Dependabot, the Advisory Database, and the dependency graph. Twitter: https://twitter.com/jhutchings0