By Isaac Hepworth (Google), Melba Lopez (IBM), and Jay White (Microsoft)
This month’s spotlight is on the OpenSSF Supply Chain Integrity Working Group (SCI WG). In this post you can learn more about what this working group has been doing, what’s in the pipeline, and how you can get involved.
Within the SCI WG, we’re hosting a global community of individuals and organizations collaborating on scalable standardized attestable practices for supply chain security. Along the way we’re developing a shared vocabulary for the industry, a common problem model, and uniform frameworks spanning languages and ecosystems.
Ultimately, we aim to drive an uplift in overall end-to-end supply chain security through upstream adoption of robust security practice combined with downstream risk control using attestation-driven policy.
Highlights of the Past Few Months
The biggest highlight of the past few months is the SLSA 1.0 release. SLSA, or Supply-chain Levels for Software Artifacts, is a framework for software supply chain security, organized into a series of levels designed to give confidence that software hasn’t been tampered with and can be securely traced back to its source. The initial 0.1 release was nearly two years ago; since then we’ve been delighted to have feedback from real-world adoption helping us shape a strong, pragmatic, approachable 1.0 specification. Along the way we’ve had contributions from Chainguard, Intel, VMware, IBM, Microsoft, Red Hat, Google, Kusari, and others in the community.
A related highlight is GitHub’s announcement of package provenance for npm based on SLSA and OpenSSF’s Sigstore. Providing provenance gives package consumers the ability to verifiably link a package back to its source and the build commands used to publish it, which increases the auditability of the build and makes it harder for someone to tamper with it. npm is the largest language-specific package ecosystem and it’s been tremendous working with them to bake provenance into the npm pipeline. We hope this work will serve as a useful template for other language ecosystems to follow.
Since being donated to the OpenSSF in November 2022, the Secure Supply Chain Consumption Framework (S2C2F) is now beginning to gain traction similarly. S2C2F focuses on safe consumption of upstream components and can be used to assure safe consumption of OSS dependencies in a development workflow. Since S2C2F’s adoption by the OpenSSF, we have seen tremendous acceptance and traction within the supply chain security community and mainly by the end users with ingestion and dependency management concerns. This has afforded the opportunity to begin developing sought-after training courses and continuously improve the framework through SIG participation and thought leadership of emerging threats. In addition, many in the community look at S2C2F and SLSA as developing end-to-end frameworks that take on the challenges seen today but also scale to to be ahead of emerging threats experienced tomorrow.
At RSAC 2023, Adrian Diglio presented the OpenSSF Secure Supply Chain Consumption Framework (S2C2F) at RSA in San Francisco. The session showcased how the S2C2F and SLSA frameworks complement each other, and gave an overview of the S2C2F requirements and maturity levels for securely consuming dependencies into the developer workflow. This is an exciting example of how we are spreading awareness to increase adoption and community engagement.
New and Upcoming Initiatives
Something else we’re excited about is landing with a clear north star for the Supply Chain Integrity WG within OpenSSF. We have a promising draft outlining an expansive vision, a set of principles to guide us on the journey, and some immediately actionable chunks of work which are execution-ready.
We are also working on training for Security Knowledge Framework (SKF). SKF is an open source web application that helps developers integrate security by design in their applications by explaining secure coding principles in multiple programming languages.Through SKF we are working on training modules for S2C2F and are currently in discussions to begin training for FRSCA as well. By providing these trainings, we believe we can help improve understanding of how SLSA, S2C2F, and FRSCA fit together and their respective use cases.
Finally, the value S2C2F has for end users and consumers across the ecosystem can’t be understated. To further show the OpenSSF’s commitment to securing the supply chain for end users and consumers, the S2C2F SIG and the SCI WG are further developing, positioning, and encouraging the adoption of S2C2F towards a potential PAS Submission to ISO specification, through the Joint Development Foundation. This is a very intensive endeavor but is just another way the SCI WG and the OpenSSF are giving back to the community in what we believe is the most impactful way possible.
Get Involved
We’d love your help with getting involved in our efforts to secure the software supply chain! To begin, you can drop in on the meetings (see the public calendar) or say hi in Slack. Bring opinions about the vision document for bonus points.
Also, we could badly use some hands-on-keyboards help with FRSCA, where we’ve got lots of ideas but relatively few actual technical practitioners to put them into motion. FRSCA (Factory for Repeatable Secure Creation of Artifacts) works on securing build pipelines in order to improve supply chain security.
Learn more about our working group, or get involved, on our GitHub page and stay tuned to learn more about the initiatives we are working on! We hold meetings every other Wednesday at 9 AM Pacific, and you are welcome to join our meetings and help with our initiatives.
About the Authors
Jautau “Jay” White, PhD, MBA, MS, CISM, CISSP-ISSAP, OSCP, CDPSE, Security Principal Program Manager, OSS Ecosystem Team, Azure Office of the CTO – Microsoft
Jay has over 20 years of IT/information security experience including 15 years dedicated to supply chain and cyber risk, security, privacy, and compliance. He provides a combined tactical and strategic balance towards the implementation of enterprise and cyber risk management, security and compliance requirements that aligns to an organization’s broader business strategy. Jay believes that companies should go beyond the status quo for their customers and partners and take the teamwork/community approach to understanding business unit needs. Jay is a friend, trusted advisor, and a proud US Army retiree.
Isaac Hepworth, Group Product Manager, Software Supply Chain, Google
Isaac is a seasoned product manager working on software supply chain integrity. In this role he incubated Google’s first-party SBOM program, developed vision and strategy for open source supply chain security, and supported Google’s contributions to OpenSSF’s Sigstore, SLSA, and GUAC. Over the last couple of decades Isaac has built developer-facing products at Google, Twitter, Stripe, and Microsoft
Melba Lopez, Senior Technical Staff Member, Supply Chain Security, IBM
Melba is currently a Senior Technical Staff Member (STSM) working as the Lead Product Security Architect for Supply Chain Security at IBM. She has over 15 years of industry experience, has a Master’s in Cybersecurity, and 4 Issued Patents with more to come!