GitHub plans to use the code-signing platform Sigstore to protect its open-source registry, which was targeted in a cyberattack earlier this year.
Microsoft-owned GitHub is proposing a new strategy to help protect open-source projects, following recent attacks on its supply chain.
Despite the benefits of open-source, security vulnerabilities have been highlighted for years, with the Log4Shell flaw raising concerns last year.
GitHub shared plans at a White House summit in January to up its game in the open-source software security space. The company has added two-factor authentication, streamlined login and the “enhanced signing of artifacts” to protect its open-source ecosystem.
In April, GitHub said an attacker abused stolen OAuth user tokens to download data from dozens of organisations on its site, including its “npm” registry. Following this attack campaign, the company has proposed another method to enhance its security.
Code signing is a digital signature added to software, which aims to show users that the code has not been tampered with since it was verified. GitHub said this helps links packages with its source repository, giving security confidence to consumers.
GitHub plans to use code signing for its npm software packages using the platform Sigstore, a collaborative project that includes contributions from Google, Red Hat, VMware, the Linux Foundation and the Open Source Security Foundation.
GitHub director of product management Justin Hutchings said the process would help generate “attestations about where, when, and how the package was authored”. He added that Sigstore is easier and more secure than past methods by not requiring developers to manage “long-lived cryptographic keys”.
“Securing the software supply chain is one of the biggest security challenges our industry faces right now.” Hutchings said in a blog post. “This proposal is an important next step, but truly solving this challenge will require commitment and investment across the community.”
Tzachi (Zack) Zorenshtain, head of software supply chain at open-source firm Checkmarx, said code signing is a “great move” to close a gap that an attacker could use to abuse the open-source ecosystem.
“We know that attackers will continue to explore the weakest link in the chain, and it’s vitally important to raise the bar and respond to their attacks as quickly as possible,” Zorenshtain said.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
Source by www.siliconrepublic.com
