TrustSource adds OpenSSF Scorecards
click here to enlarge image
In our component database, where we collect meta and clearing information on components, we added the Open Source Security Foundation (OpenSSF) Scorecard to help exploring the security status of open source projects. The score, introduced by the OpenSSF project of the Linux Foundation in 2020 and currently evaluated on regular basis for about 1 million open source projects on Github, is an aggregated value reflecting the security measures taken by the open source project. It can be used as an indication on how much you may trust the security efforts of a particular project without having evaluated it further.
What does the Scorecard tell?
The scorecard value or score is the result of sixteen checks reflecting secure software development best practises. They comprise the domains of development, testing, maintenance and vulnerabilities but also code and build management. Based on the a comprehensive set of best practises the tests scan the code repository for evidence, that the practises are actively supported by the project.
Currently 18 tests are available, 16 of which are available through the API. The detailed documentation can be found here. Each test will receive a score between 0 and 10, with 10 being the best possible score. The tests come with a result and and a risk as weight. The sum of all tests together with their weight derives the total score.
Some tests may sometimes not be applicable due to project design decisions, e.g. if the project does not supply packages through Github, the packaging test will not apply, since the current implementation does not yet provide a mechanism to verify the different package managers.
However, given you want to make a decision whether or not to use a particular component, running a scorecard test – or looking at the component in our database – will help you getting an impression on what effort you might need to invest in securing the component. The higher the score the more you may trust on the component.
What does the Scorecard NOT tell?
Please do not understand a high score as a guarantee for a secure component! Also a low score does not immediately relate to a weak or flawy component! There is no logic in assuming that a low score is an indication for a vulnerable component!
The score indicates which steps the project takes to ensure the code it provides follows best practises and therefor has a high likeliness of being free from errors and vulnerabilities. But it is no guarantee! If all is done fine, all tests boost to 10, there still might be the chance that a vulnerability occurs in an upstream component which is not simple or possible to fix for the project itself.
Use the score as an indicator but make the decision of whether to use a component or not based on its functionality not only on the score. You will – especially in these early days when the score is not yet widely adopted –
What comes next?
However, we highly recommend using scorecards because they give an indication of how strongly you may rely on your upstream components.
Since TrustSource knows all the components you apply inside your solution, it will now be possible to make more out of the single scores. A simple average will not make sense. Due to the amount of components an average score will have to be expected somewhere at a meaningless 5. But we are currently experimenting with quantiles or top 10 and low 10 averages as well as the relation of not scored components compared to scored ones.
In addition we will provide a service, that will allow you to check your own components by just providing a URL and transferring the scorecard to non github projects. Given we achieve some success, we will contribute our developments back to OpenSSF.
Questions? Stop searching further, just reach out and get answers!
TrustSource @ LSEC on SBOMs
Let’s meet at the IIOT SBOM Nov. 10th!
Thank you @ LSEC – Leaders In Security for inviting us to talk about #SBOM #DevSecOps and the upcoming challenges form the security point of view. @Jan will address the challenges around generating SBOMs, how to tackle it on the automation side in his talk “Getting the SBOM right, and then?”. Further on the talk will address thoughts on the life cycle perspective, what comes after the SBOMs creation. It also will also report about the work the #LinuxFoundation #OpenChain Automation work group is performing as well as invite to a new sort of SBOM user group, outlining best practises on defining SBOMs.
Looking forward having great conversations and learn even more about the challenges you are facing while creating SBOMs in the IIOT world.
C U there!
Gleaning
(22.11.22) Thank you very much for the kind hosting and the gerat exchange to all other speakers and participants at the IIOT SBOM. It has been great to learn about your demands and thoughts. Looking forward talking to you further. All speeches have been recorded and are avialble at the IIOT SBOM website. Jan’s talk we linked here.
It is split into two sections due to coordination with some speakers from different time zones. However, the first part addresses the SBOM and its contents. What should go in, what is a suitable format and what are the benefits of producing SBOMs (besides compliance with regulatory requirements). The second part addresses SBOM creation automation, transfer a few experiences from the legal SBOM design and spins a few thoughts on what you may do with SBOMs whilst they are around.
How TrustSource protects against dependency confusion attacks
What has happened?
Security researchers have managed to gain access to various high-security networks with the help of a dependency confusion attack. With this attack, they managed to send protected information and data from within the affected networks to the outside. However, depending on the attack scenario, other activities would also be imaginable. Once behind the defense lines, the damage scenario can be freely chosen.
How was the attack executed?
The security researchers got the idea when they found names of private packages in the published open source tools of the companies (Apple, Adobe, etc.)
Companies often use open source and supplement certain functionalities or graphical controls with their own libraries. These, in turn, are developed by only one team and made available as separate packages or libraries to other development teams. This is efficient and convenient because the broad set of development teams does not have to worry about it, yet the look-and-feel remains consistent across different applications or services.
If the companies now play software back to the community and the references to such “private” packages are not removed from the source code, the release will carry the name of these packages outside. This in itself is not that dangerous. It only becomes interesting if the information is exploited for a dependency attack (see next page).
How could you protect yourself from this to happen?
- Component naming:
If the internal component names follow a naming scheme, such asORG.COPMANY.UNIT.UITOOLS
, it becomes much more difficult for third parties to create corresponding names in the package managers without causing a stir.ORG.COPMANY.UNIT.UITOOLS
is more noticeable than the 100th version ofUITOOLS
. - Configuration of packet manager proxies:
To be successful in the attack, the local distribution mechanisms must be outwitted. It should be ensured that no updates are pulled from outside for certain package types, e.g. with the help of the name identifier or a simple blacklist. - Version control:
With the help of a version history, it quickly becomes possible to determine which versions are in use. A jump from 1.2.3 to 69.1.0 can be discovered quickly or is noticeable.
What is a dependency confusion?
Modern package systems use package managers, especially to manage the ever-growing number of open source components. Each build specification therefore contains a list of the components to be included. In Java this is the POM.XML file, in Node.JS (JavaScript) it is the PACKAGES.JSON.
In this file the components and the minimum requirements to the components, the version numbers are indicated. Since many components change frequently, the requirements often contain not only the exact version number, e.g. 1.2.3
, but a note like ^1.2.3
, which means something like: “Give me at least 1.2.3 or newer.” . If the maintainer of the component updates to e.g. 1.2.4
(new patch) or 1.3.0
(new feature), the own solution would be able to profit from the innovations with the help of the formulation during the next build.
If a malicious actor now posts a newer version in a package manager, for example a 12.1.0
, he can be relatively sure that this version would be provided by the package management for the context described above.
If the project now builds a new version, the malicious code would be pulled from outside, integrated into a QA system, and deployed there. Depending on the damage scenario chosen, a lot can be done with this.
You want to manage vulnerability protection along the complete lifecycle of your product?
TrustSource can help to protect you!
If you use TrustSource, it will know the current versions of your modules and solutions, as well as publicly available components. Sudden version jumps of publicly available components are detected by our systems and reported to our support team for review. Critical developments are reported back to the projects.
If you are already using TrustSource, you are probably familiar with the concept of “linked modules”, the integration of releases of your own software. If versions appear here that were previously unknown, this also leads to a report to the respective project manager. In this way, you can be sure to notice corresponding developments quickly.