Fifty Years of Open Source Software Supply-Chain Security
a day ago
- #software-security
- #supply-chain
- #open-source
- The U.S. Air Force reviewed Honeywell Multics in 1972, concluding it was better than peers but not secure, suggesting potential back doors.
- In 2024, Andres Freund discovered a back door in liblzma (XZ attack), compromising Debian Linux's ssh daemon.
- Software supply-chain security issues are fundamental and persistent, requiring continuous improvement in defenses.
- Open source software supply-chain attacks involve inserting malicious code into trusted software before delivery.
- Vulnerabilities can arise from third-party open source components, affecting both open and closed source software.
- Key defenses include authenticating software, making builds reproducible, and quickly finding and fixing vulnerabilities.
- Preventing vulnerabilities involves omitting unnecessary dependencies and using safer programming languages.
- Underfunding of open source projects makes them susceptible to attacks, as seen in the XZ attack.
- The XZ attack involved social engineering, with an attacker gaining trust over years to insert malicious code.
- Funding open source development is crucial to prevent vulnerabilities and attacks, but solutions remain unclear.