05/18/2022 | Press release | Distributed by Public on 05/19/2022 00:03
There's no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked nearly 20 different open source software supply chain attacks - two of which were zero day threats. This steady barrage of vulnerabilities and malicious packages is driving open source leaders and the wider technology community to come together with the Biden Administration, national security organizations, and U.S. Federal agencies to devise an action plan for how to best address these attacks.
Taking place the same week as the 1-year anniversary of the Biden Administration's Executive Order, the White House hosted part II of the Open Source Software Security Summit, May 12 - 13, 2022, with the original summit participants. A follow-up to the January 13th meeting, the event was attended by 90 executives from 37 companies - including JFrog, our partners at the Linux Foundation, and their Open Source Security Foundation (OSSF). The goal of the meeting was to identify challenges and share ideas on ways to enhance the resilience of open source software, then agree on an action planfor solidifying open source software supply chain security.
While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated the need for more hardened processes around validating open-source repositories. What makes open-source complicated is the fact that microservices and containers are hidden deeper within the software. All of it is designed to make development faster and more efficient, but this comes with vulnerabilities. For example, containers are great for shipping applications but, unfortunately, they've also made it easy to hide things.
Thus, at JFrog we believe open-source security will only be successful if we give OSS projects the same tools and services available to enterprises. Access to automated tools and high-quality security databases for open-source projects is essential and something that JFrog is committed to helping make happen.
There were two areas of discussion during last week's OSS Security Summit that we at JFrog feel are particularly important:
As a designated CNA, the JFrog Security Research team constantly monitors open-source software repositories for malicious packages that may lead to widespread software supply chain attacks and alerts the community accordingly. Thus, we know just how vulnerable software repositories can be. The hardening of existing central repositories is essential, but doesn't go far enough to secure the software supply chain. We believe the open-source software community needs to build a decentralized package management system that only distributes binaries that were built and verified independently.
JFrog is proud to collaborate with the Linux Foundation and other OpenSSF secure software members to design a set of technologies, processes, accreditations, and policies to help protect our nation's critical infrastructures while nurturing one of the core principles of open source software - innovation.
Last week's summit was a notable step towards outlining an agreed-to action plan and comprehensive portfolio of 10 initiatives, which can immediately address three fundamental goals for hardening the software supply chain:
We encourage you to take a look at the report and let us know your thoughts.
See what the press is saying about the White House Open Source Software Security Summit: