[ad_1]
Russia is historically destructive NotPetya malware attack and is newer SolarWinds cyberespionage campaign they have something in common besides the Kremlin: both are examples of real software supply chain attacks. This is a term that occurs when a hacker slips into legitimate software that can be hacked remotely. As more supply chain attacks arise, a new open source project seeks to take a stand, making crucial protection free and easy to implement.
The founders of Sigstore we hope that their platform will encourage code signing, an important protection for software supply chains but not often recognized by well-known and used open source software. Open source developers don’t always have the resources, time, experience, or resources to fully implement the code signature on top of all the other non-negotiable components they need to build to make their code work.
“Until about a year and a half ago I felt like I was crazy in the corner with a sign that says ‘It’s coming to an end.’ No one understood the problem,” said Dan Lorenc, an open source software supply chain researcher and Google engineer. “But things have changed quite a bit in the last year. Now everyone is talking about security in the supply chain Executive Order about it, and everyone is starting to realize how critical open source is and how we need to put some resources into fixing everyone’s security. “
Lorenc is far from the only research-based researcher security challenges open source projects or supply chain. But the main focus of recent high-level hacks created a new level of excitement for Lorence and his collaborators who were already on the job.
To understand the importance of Sigstore you need to know what code signing does. Think of it as a battle order given in ancient times. The generals would know the writing of the royal scribe, the writing of the chief’s signature, and the exact wax seal on the envelope, while a carefully examined web page delivered the messages in a controlled chain of custody. This system worked because it was very difficult (though completely impossible) for an external entity to enter the process, repeat the crucial elements, and circumvent all of these integrity controls.
The same goes for signing the cryptographic code. You cannot complete the Windows update and share it with close friends or enemies. Microsoft can only do this if something goes wrong. One of the reasons that non-Microsoft is sending updates to a Windows laptop is that the right software creator needs to “sign the moment” at the right time. It’s the John Hancock and wax seal of the digital age.
You can see why the bet is so high, however, in ancient battles and modern software. If anyone might send orders or updates, they can stage a coup or endanger billions of computers. The benefits of code signing are clear, but there is a small barrier to access for fans, volunteers, and other open source contributors.
“These are huge problems that endanger the entire infrastructure of the world,” says Bob Callaway, chief architect of the open source software company RedHat. “It’s certainly not a panacea that will fix everything, but it will get people to use the best practices and cryptographic techniques they’ve had for a long time and make notes safer.”
Sigstore, that is affiliated Led by the Linux Foundation and currently run by Google, Red Hat and Purdue University, it combines two components. First, it coordinates confusing cryptography for its users; it even allows developers who can’t or don’t want to take great work on their own to literally manage everything. Using pre-existing identifiers, such as an email address or a third-party login system with Google or Sign in with Facebook, you can quickly start signing the code you create cryptographically at any given time. . Second, Sigstore automatically creates an open source public record of all activity. This provides public accountability for each submission and a place to start investigating whether something is going wrong.
[ad_2]
Source link
