写点什么

OSPO 如何帮助保护你的软件供应链

作者:安势信息
  • 2022 年 6 月 13 日
  • 本文字数:7929 字

    阅读完需:约 26 分钟

OSPO如何帮助保护你的软件供应链

It's nearly impossible these days to build software without using open source code. But all that free software carries additional security risks.

如今,使用开源代码来构建软件几乎不可避免。但所有这些自由软件都可能带来额外的安全风险。


Organizations grapple with how best to secure their open source software supply chain. But there's another problem: Many companies don't even know how many open source applications they have — or what's in them.

企业正在努力解决如何最好地保护他们的开源软件供应链。但有另外一个问题:许多公司甚至不知道他们使用了多少开源程序--或其中包含什么。


The worst-case scenarios include debacles like 2021's Log4j security vulnerability, or what happened with SolarWinds' proprietary Orion network monitoring product, which was infected with malware in 2020.

最坏的情况包括像 2021 年的 Log4j 安全漏洞事件,或 2020 年发生在 SolarWinds 私有的 Orion 网络监控产品上的恶意软件攻击事件。


For companies that build and ship software, the best practice is to "ship what you know and know what you ship," according to Suzanne Ambiel, director of open source marketing and strategy at VMware Tanzu. And that "shipping manifest" applies to open source and proprietary code equally.

VMware Tanzu 公司的开源营销和战略总监 Suzanne Ambiel 认为,对于开发和交付软件的公司来说,最好的做法是 “ 充分了解所交付软件产品的组成 ”。这种“交付清单”同样适用于开源代码和私有代码。


"Your customer and user community is trusting that what you are providing to them is good and clean and secure," she said. "They trust you to have done the hard work, and that you know what's in your software."

Ambiel 表示:“客户和用户群体信任你提供给他们的是高质量的、干净的、安全的软件。他们相信你(在软件开发中)做了很多工作,并且相信你了解你的软件里有什么。”


In order to get a handle on the potential risks involved with using open source, companies need to have a clear understanding of what open source code is used in their environment, stay up to date on patching, and even conduct their own vulnerability scans and assessments if necessary.

为了管理因使用开源代码而带来的潜在风险,每个公司需要清楚地了解其环境中使用了哪些开源代码,及时更新补丁,甚至在必要时进行漏洞扫描和评估。


An open source program office (OSPO) — a bureau of open source experts within your organization dedicated to overseeing how your company uses, creates and contributes to free software — can help coordinate all these efforts.

开源项目办公室(OSPO) —  一个由企业内部开源专家组成的机构,该机构专门负责管理公司如何使用、创建和贡献自由软件。 — 可以帮助协调所有这些工作。


An OSPO can help a company get a handle on the open source code it uses and establish visibility into open source projects and tools, said Liz Miller, vice president and principal analyst at Constellation Research.

Constellation Research 公司副总裁兼首席分析师 Liz Miller 认为,开源项目办公室可以帮助公司了解其使用的开源代码,并建立对开源代码项目和工具的可见性。


"Fundamentally, the purpose of an open source program office is to centralize the understanding of dependencies, implementation and utilization of open source code across an enterprise," Miller said. "There is a significant security benefit to an OSPO."

Miller 表示:“从根本上说,开源项目办公室的目的是集中了解整个企业对代码依赖关系,和对开源代码的实施和利用。开源项目办公室带来了显著的安全优势。”


  1. What's In Your Open Source Code?

你的开源代码里有什么?


Today's software is made up of components from a variety of sources. "It's never 100% one thing," said VMware's Ambiel.

当今的软件中组件的来源有很多。VMware 的 Ambiel 表示:“它永远不可能只有一个来源。”


"There's some code that you have written for the first time, so you obviously know what's in there. But you may have used some containerized software. And you are going to be reusing some code. And everyone uses open source code."

“有一些代码是你第一次写的,所以很显然你了解里面有什么。此外,你可能用了一些容器化软件。也许你也会重复使用一些代码。综上,开源代码 (几乎) 人人都要使用。”


Recent studies differ on exactly how much open source code enterprises use, but it's a lot:

尽管最近的研究对企业究竟使用了多少 (比例)开源代码有不同的看法,但这个数字很大:

  • A survey by The Linux Foundation, the TODO Group and The New Stack, published in September, found that 81% of respondents use open source software in their non-commercial or internal products at least sometimes, and 67% use it in their commercial or external products.

    由 Linux 基金会、TODO 工作组和 The New Stack 在 9 月发布的一项调查发现,81%的受访者表示至少有时会在其非商业或内部产品中使用开源软件,67%的受访者在其商业或对外发布的产品中使用了开源软件。


  • Last April, application security testing company Synopsys reviewed the code of more than 1,500 enterprise software projects, both internal and commercial, and found that 98% of them contained some open source code. For an average application, 75% of the codebase was open source.

  • 去年 4 月,应用安全测试公司 Synopsys 审查了 1,500 多家企业软件项目的代码,包括内部和商业项目,发现其中 98%的项目包含一些开源代码。大体上,每个代码库中开源代码的比例是 75%。


Here's the scary part: In Synopsys' analysis, 84% of the codebases had at least one vulnerability. And 91% of the open source components used hadn't seen any maintenance of the past two years.

可怕的是,根据 Synopsys 的分析,84%的代码库至少有一个漏洞。而且,91%的开源组件在过去两年中没有进行过任何维护。


Even open source code that has been in circulation for years and has been seen and used by millions can include vulnerabilities lurking layers deep in the code, said Miller.

Miller 表示,即使是已经发布多年并被数百万人浏览和使用的开源代码也可能包括潜藏在代码深处的漏洞。


"The reality of open source is that for the security professional, hearing that a software supply chain is filled with unchecked, unknown and completely invisible open source code is the stuff nightmares are made of," she said.

“开源的现实是,对于专业安全人员来说,听到软件供应链中充满了未经检查的、未知的和完全不可见的开源代码,这就是噩梦。”Miller 说道。


That's why software needs to come with a "bill of materials" said Ambiel, a complete inventory of all the components that go into a software package, and their versions and license terms.

Ambiel 表示,这就是为什么软件需要附带“物料清单”的原因,一份完整的软件包中的组件(清单)及其版本和许可证条款。


And there's a lot happening on that front. An OSPO can help companies stay on top of the latest recommendations, she said.

这方面涉及了很多的点。她说,OSPO 可以帮助公司时刻紧跟最新的建议。


For example, last May President Biden issued an executive order requiring a software bill of materials (commonly known as an SBOM) from vendors that provide software to the federal government.

例如,去年 5 月拜登总统发布了一项行政命令,要求向联邦政府提供软件的供应商提供软件物料清单(通常称为 SBOM)。


Two days later, the Cloud Native Computing Foundation (CNCF) released a best-practices white paper recommending that all vendors provide an SBOM where possible, with clear and direct links to dependencies.

两天后,云原生计算基金会(CNCF)发布了一份最佳实践白皮书,建议所有供应商在可能的情况下提供物料清单(SBOM), 并包含清晰、直接的依赖链接。


The CNCF white paper also recommended that companies scan their software with software-composition analysis tools to detect vulnerable open source components, and use penetration testing to check for basic security errors or loopholes and resistance to standard attacks.

CNCF 白皮书还建议公司用软件组成分析工具进行软件扫描,以检测开源组件中的缺陷,并使用渗透测试来检查基本的安全错误或漏洞以及对标准攻击的抵抗力。


Companies need to have a clear understanding of what open source code is used in their environment, stay up to date on patching, and even conduct their own vulnerability scans and assessments if necessary. An OSPO can help coordinate those efforts.

公司需要清楚地了解他们的环境中使用了哪些开源代码,及时更新补丁,甚至在必要时进行漏洞扫描和评估。开源项目办公室可以帮助协调这些工作。


And more recently, the Linux Foundation published a report that provides additional insights and recommendations for best practice management of your software supply chain.

最近,Linux 基金会发布了一份报告,为软件供应链的最佳实践管理提供了更多的洞见和建议。


With an in-house OSPO in place, the professionals in that office can help educate developers on the best practices for creating SBOMs and also help establish Software Package Data Exchange (SPDX) standards, which is how SBOM information is communicated.

有了内部的开源项目办公室,专业人员可以帮助开发人员了解创建 SBOM 的最佳实践,还可以帮助建立软件包数据交换( SPDX )标准,即 SBOM 信息的传递方式。


It can also help devs keep abreast of emerging concepts like the new framework for software supply chain integrity, called Supply-Chain Levels for Software Artifacts, or SLSA, introduced by Google in collaboration with OpenSSF in 2021.

它还可以帮助开发人员跟上新兴的概念,如 2021 年谷歌与 OpenSSF 合作推出的软件供应链完整性的新框架,被称为软件制品的供应链级别(SLSA)。


Keeping up to date with these best practices is a challenge, said Ambiel. “Being a developer is hard enough, and asking them to take on that challenge pulls them away from the applications or products they’re trying to build.”

Ambiel 表示,保持与这些最佳实践的同步是一个挑战。“软件开发者已经很辛苦了,再要求他们承担这一挑战,将耽误他们努力构建的应用或产品。”


An OSPO “can bring in the best practices and apply them in the best way possible, given the company you are and the software development that you do,” Ambiel said.

“OSPO 可以为公司和软件开发带来最佳实践,并以最好的方式应用这些实践。” Ambiel 补充道。


  1. Protecting Open Source Software from Attack

保护开源软件免受攻击


Attacks on the open source software supply chain increased 650% last year compared to 2020, according to Sonatype's state of the software supply chain report, released in September.

根据 Sonatype 公司去年 9 月份发布的软件供应链状况报告,与 2020 年相比,攻击比例增加了 650%。


And that’s before the Log4J vulnerability came to light, called the most dangerous Java exploit in years by security researchers.

而这还是在被安全研究人员称为多年来最危险的 Java 漏洞——Log4J 漏洞被曝光之前的数据。


An OSPO can help developers stay abreast of new developments in open source security and build more secure applications, while also staying on top of required updates and patches.

开源项目办公室可以帮助开发者紧跟开源安全的新发展方向,建立更安全的应用,同时也能及时掌握所需的更新和补丁。


Software is constantly changing, and it’s a constant challenge for companies to keep up with those changes. An OSPO can also help create and maintain connections to open source communities that keep track of the latest changes in software, and these connections can help companies stay on top.

软件在不断变化,对公司来说,跟上这些变化是一个持续的挑战。OSPO 还可以帮助创建和维护与开源社区的联系,跟踪软件的最新变化,帮助公司保持领先地位。


“What’s current today is technical debt tomorrow,” said Ambiel. “It’s a big job. But when it comes to these big ecosystem challenges, that’s where the open source community really shines and can step up.”

Ambiel 表示:“今天的问题就是明天的技术债。这是一项艰巨的工作。但是,当涉及到这些大的生态系统挑战时,这正是开源社区闪耀价值并发挥作用的地方。” 


Keeping on top of code changes is a problem that everyone has, she said: “No one is excluded. Everybody has to pay attention to this." When companies open themselves up to new ideas from beyond their corporate borders, that’s when the best solutions come to bear, she added.

保持对代码变化的关注是每个人都需要面对的问题。“没有人能置身事外。每个人都必须关注这个问题。”当公司拥抱其边界以外的新概念新想法的时候,这就是最好的解决方案出现的时候。


For example, the open source community has been working on supply chain security and compliance for years. The Linux Foundation’s Tern project, which inspects container images, is part of its Automated Compliance Tooling initiative.

例如,开源社区多年来一直致力于供应链安全和合规。比如 Linux 基金会的 Tern 项目,可以对容器镜像进行检查,是其 ACT(Automated Compliance Tooling)倡议的一部分。


An OSPO can also tap outside expertise through the OpenSSF, which is working on system solutions and ways to combat increasing attacks like typosquattingand malicious code.

OSPO 还可以通过 OpenSSF 利用外部的专业知识。OpenSSF 正在研究系统解决方案和方法,以打击越来越多的攻击,如恶意代码。


All of this is important because attackers are getting proactive, said David Wheeler, director of open source supply chain security at the Linux Foundation.

Linux 基金会的开源供应链安全总监 David Wheeler 表示,所有这些都很重要,因为攻击者越来越主动。


They directly inject malware into software source code or installable packages — sometimes, just submitting an update with malware in it and hoping nobody notices, or by stealing a developer’s password.

他们直接将恶意软件注入软件源代码或安装包中 -- 有时,只需要提交一个含有恶意软件的更新,并希望不被发现,或者通过窃取开发者的密码的方式。


“Malicious code injection is the kind of attack that most people think about, yet in practice, it’s less common in open source software,” said Wheeler. “Still, it can be devastating when it happens.”

Wheeler 说:“恶意代码注入是大多数人能想到的攻击方式,然而在实践中,它在开源软件中并不常见。但是,当它发生时,它可能是毁灭性的。”


The most common way to replace legitimate code with malicious code is by creating a duplicate package on a different repository. A developer might think they’re loading a trusted package from their in-house repository but load a package with the same name from a different, public repository because it has a later release date.

用恶意代码替换合法代码的最常见方式是在不同的资源库中创建一个重复的软件包。开发者可能会误认为他们正在从内部仓库加载一个可信的软件包,但却从一个不同的公共仓库加载一个同名的软件包,因为它的发布日期较晚。


“Typosquatting is another common attack,” said Wheeler. This is when the malicious package has almost the same name as the real one. “The developer uses the malicious package instead — often because the developer makes a typo.”

“ Typosquatting 是另一种常见的攻击方式。” 这是指恶意软件包的名称与真正的软件包几乎相同。通常发生在开发者输入不正确信息的情况下,会被引导使用恶意软件。” Wheeler 说道。


  1. OSPOs and Open Source Communities

OSPO 和开源社区


To guard against these kinds of attacks, Wheeler recommends that companies engage more with open source communities.

为了防范这类攻击,Wheeler 建议公司更多地参与开源社区。


Having an OSPO helps companies do just that. Fifty-six percent of participants in the Linux Foundation survey felt that engaging with the developer community was a chief responsibility of an OSPO, and almost 69% said promoting an open source culture in-house was a chief responsibility of an OSPO.

拥有一个 OSPO 可以帮助公司做到这一点。在 Linux 基金会的调查中,56%的参与者认为与开发者社区接触是 OSPO 的主要责任,近 69%的参与者说在公司内部推广开源文化是 OSPO 的主要责任。


If an open source project is important to a company but the project doesn’t have multiple people reviewing code upgrades, then it might make sense to join the project.

如果某个开源项目对一家公司很重要,但该项目没有多人审查代码升级,那么加入该项目可能是明智的做法。


“The costs of doing so are typically far less than trying to independently develop and maintain your own software,” Wheeler said.

Wheeler 说:"这样做的成本通常远远低于试图独立开发和维护自己的软件。"


He also suggested that companies get involved in the OpenSSF, a consortium of many organizations working on systemic solutions, such as distributing multifactor authentication tokens to software developers.

他还建议公司参与 OpenSSF,这是一个由许多组织组成的联盟,致力于提供系统性的解决方案,例如向软件开发人员分发多因素身份验证令牌。


“Different organizations may choose to resolve these challenges differently,” Wheeler said. “But OSPOs are often well-placed to help.”

“不同的组织可能会选择不同的方式来解决这些挑战,” Wheeler 表示。“但开源项目办公室的帮助通常更加到位。”


原文链接:

https://thenewstack.io/how-an-ospo-can-help-secure-your-software-supply-chain/

发布于: 刚刚阅读数: 2
用户头像

安势信息

关注

正本清源,不止于安全。 2022.05.20 加入

安势信息致力于解决软件供应链中的安全和合规问题。安势信息以行业领先的SCA (软件组成分析)产品作为切入点,围绕DevSecOps 流程,着力于从工具到流程再到组织,坚持持续创新,打造独具特色的端到端最佳实践。

评论

发布
暂无评论
OSPO如何帮助保护你的软件供应链_开源_安势信息_InfoQ写作社区