Two visions of 'software supply chain security'

October 20, 2024

Although the website that is insisting I use MFA if I want to use it to file bug reports doesn't use the words in its messages to me, we all know that the reason it is suddenly demanding I use MFA is what is broadly known as "software supply chain security" and the 'software supply chain' (which is a contentious name for deciding that you're going to rely on other people's open source code). In thinking about this, I feel that you can have (at least) two visions of "software supply chain security".

In one vision, software supply chain security is a collection of well intentioned moves and changes that are intended to make it harder for bad actors to compromise open source projects and their source code. For instance, all of the package repositories and other places where software is distributed try to get everyone to use multi-factor authentication, so people with the ability to publish new versions of packages can't get their (single) password compromised and have that password used by an attacker to publish a compromised version of their package. You might also expect to see people looking into heavily used, security critical projects to see if they have enough resources and then some moves to provide those resources.

In the other vision, software supply chain security is a way for corporations to avoid being blamed when there's a security issue in open source software that they've pulled into their products or their operations (or both). Corporations mostly don't really care about achieving actual security, especially since real security may not be legibly secure, but they are sensitive to blame, especially because it can result in lawsuits, fines, and other consequences. If a corporation can demonstrate that it was following convincing best practices to obtain secure (open source) software, maybe it can deflect the blame. And when doing this, it's useful if the 'best practices' are clearly legible and easy to assess, such as 'where we get open source software from insists on MFA'.

In the second vision, you might expect a big (corporate) push for visible but essentially performative 'security' steps, with relatively little difficult analysis of underlying root causes of various security risks, much less much of an attempt to address deep structural issues like sustainable open source maintenance.

(If you want an extremely crude measuring stick, you can simply ask "would this measure have prevented the XZ Utils backdoor". Generally the answer is 'no'.)


Comments on this page:

The “supplier” incurring liability should always be the person who imports an open-source dependency into a commercial project, not the upstream author, and that’s how the EU’s cyber-resilience act (CRA) and the upcoming Product Liability Directive deal with it:

https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/

By Michael at 2024-10-21 03:29:14:

Your post seems to imply that software supply chain security is an issue only for open-source software. You make a good argument for why it is an issue for open-source software, but I would argue that the same issue applies equally to non-open-source software.

In fact, several reasonably recent, large supply chain-related security incidents (Solarwinds and CrowdStrike to name two, and yes I count the CrowdStrike mess as a supply chain incident) have been in proprietary software.

And if we're willing to remove the "software" part of the term, the recent exploding pagers also count as a supply chain security issue.

Supply chain security is simply about the trust we (must) place in someone else who provides something - anything - to us.

By Anonymous at 2024-10-21 08:26:37:

Perhaps MFA wouldn't have stopped the XZ Utils backdoor. And perhaps the same thing can be said when the maintainer of a project gets offered a large sum of money to willingly (and secretly) hand over the keys to the kingdom, and thereby allowing malicious actors to push malicious code. (I vaguely seem to remember that something like this happened with a popular browser add-on, but cannot find it now).

But it's an imperfect world. I would rather see some of the attack vectors get blocked by something like MFA, than do nothing at all.

By alex at 2024-10-21 11:39:44:

Fazal wrote:

The “supplier” incurring liability should always be the person who imports an open-source dependency into a commercial project

But I don't see anything in the linked post to support that. That would be a huge change, making software developers akin to engineers (which, to be fair, some of them do falsely claim to be). They'd have to carry professional insurance, have the authority to tell their employers "no", and meet standards of competent engineering—even when reviewing code by other people. The Cyber Resilience Act appears to apply to "manufacturers"—that is, companies selling products—and not individuals.

I vaguely seem to remember that something like this happened with a popular browser add-on, but cannot find it now

Is it the Stylish extension you were thinking of, maybe?

By cks at 2024-10-23 15:43:45:

I believe it's happened to a number of popular extensions. Some of the cases are reasonably well known because the change of ownership was relatively open, but others have been more covert and only discovered well after the fact. Apparently authors of a number of popular extensions have reported getting quiet offers of this nature, too.

(My memory is that the widely publicized cases haven't been done by malware people but by surveillance advertising, which at least pretends to not be 'malware'.)

By Anonymous at 2024-10-24 07:32:32:

I honestly cannot recall, but I think it was a popular ad-blocker ? And yes, now I do some more searching on this subject, it indeed seems to have happened quite a few times with different extensions.

By Miksa at 2024-10-24 10:12:07:

You are probably thinking of uBlock. The original author got annoyed with his customers and gave it to someone else for maintenance. Later the second party sold it to a sketchy adblock company with "acceptable ads" scheme. This is the reason why you need to specify "uBlock Origin" when recommending blocker for anyone. I don't know of any other trusted browser blockers.

https://en.wikipedia.org/wiki/UBlock_Origin

By Anonymous at 2024-10-24 11:08:46:

Could be. Or, now I have done more searching on this matter than would be considered healty, it seems that Nano Adblocker / Nano Defender are also likely candidates. Oh, well.

Written on 20 October 2024.
« Forced MFA is effectively an annoying, harder to deal with second password
Quoting and not quoting command substitution in the Bourne shell »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Sun Oct 20 23:04:45 2024
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.