The RSA Security Conference this week seems more focused toward developers than any RSA conference past. And it couldn’t happen at a better time, because attackers are increasingly taking aim at open source repositories to disrupt the software supply chain.
Most recently, GitHub security detected stolen OAuth user tokens of integrators used by dozens of third parties; but the big news was that the attackers compromised npm, a huge GigHub integration partner with over 1.3 million packages and 75 billion downloads per month. Then in late May, GitHub reported in an update that the attackers accessed CSV files encompassing an archive of all names and version numbers of all npm-published private packages as of April 10, 2022, impacting 100,000 user credentials including password hashes, email addresses and more.
Pro Tip: If you’re using npm for integration, try this Github tool to find out if your credentials were leaked
This is another egregious breach at the very core of the software supply chain. Shortly afterwards, the Linux Foundation and OpenSSF announced a ten-point open source supply chain security mobilization plan that tech giants, including Amazon, Ericsson, Cisco, Dell, Google, Intel, Microsoft and VMWare, among others, have pledged more than $30 million to support. The plan’s ten focus areas include:
- Security education for developers
- Risk assessments
- Digital signatures
- Memory safety
- Incident response
- Scanning
- Code audits
- Data sharing
- SBOMs (Software Bill of Materials)
- Build systems, package managers and distribution systems
Many of these areas will be covered at the RSA Conference this year, starting with DevSecOps Connect, a full day of sessions on Tuesday, June 7, hosted by DevOps.com.
On the opening day of the show (Monday June 6), Cybeats is hosting an evening reception focused on SBOM integration and development and featuring Allan Friedman, who’s essentially considered the father of SBOMs. And Friedman is also speaking on a panel about supply chain visibility and SBOMs on Tuesday of the conference.
Pro Tip: See GrammaTech’s CodeSonar at work with GitHub to scan open source components before, during and after development and generate automatic SBOM documentation.
In fact, RSAC topics around “DevSecOps and Software Integrity” include 54 sessions and events, with another 59 sessions on supply chain security. Meanwhile, the list of vendors addressing supply chain and repository security will also be abundant at RSAC this year—with 79 vendors registered under the subtitle of DevSecOps, and 36 registered under supply chain.
All this attention on DevSecOps, supply chain, and SBOM’s is great news for third-party development organizations needing more training and resources to secure their environments and produce bug-free applications. But, as with cybersecurity in general, now there are too many vendors climbing aboard this bandwagon so they can sell products around this pressing ‘hot’ issue (in this case software supply chain).
So, before talking to vendors, start by assessing your organization internally: What is your organization’s reliance on open source to develop its commercial applications? How much comes from public vs private repositories? How secure are access controls to those repositories (nobody should be sharing passwords, etc.)? Is security already part of the culture and workflow? If so, are security controls and testing adequate and convenient enough for developers to use and improve with? How will SBOMs impact both the development of and the delivery of your applications?
Once you know your organizational needs, you can better filter out the noise in this growing market space and focus on companies that have a trusted track record in enabling secure development.