OSPO如何帮助保护你的软件供应链
| 翻译:庄表伟
| 校对:王永雷
| 编辑:周晶晶
| 设计:大政
It's nearly impossible these days to build software without using open source code. But all that free software carries additional security risks.
如今,不使用开源代码来构建软件几乎是不可能的。但所有这些自由软件都可能有额外的安全风险。
Organizations grapple with how best to secure their open source software supply chain. But there's another problem: Many companies don't even know how many open source applications they have — or what's in them.
企业正在努力解决如何最好地保护他们的开源软件供应链。但还有一个问题:许多公司甚至不知道他们有多少开放源码应用程序--或者其中有什么。
The worst-case scenarios include debacles like 2021's Log4j security vulnerability, or what happened with SolarWinds' proprietary Orion network monitoring product, which was infected with malware in 2020.
最坏的情况包括像2021年的Log4j安全漏洞,或发生在SolarWinds专有的Orion网络监控产品上的情况,它在2020年被感染了恶意软件。
For companies that build and ship software, the best practice is to "ship what you know and know what you ship," according to Suzanne Ambiel, director of open source marketing and strategy at VMware Tanzu. And that "shipping manifest" applies to open source and proprietary code equally.
VMware Tanzu公司的开源营销和战略总监Suzanne Ambiel说,对于构建和交付软件的公司来说,最好的做法是 "交付你所知道的,并知道你所交付的"。这种 "交付清单 "同样适用于开放源代码和专有代码。
"Your customer and user community is trusting that what you are providing to them is good and clean and secure," she said. "They trust you to have done the hard work, and that you know what's in your software."
她说:"你的客户和用户群体信任你提供给他们的东西是好的、干净的、安全的。他们相信你已经做出了努力,相信你知道你的软件里有什么。"
In order to get a handle on the potential risks involved with using open source, companies need to have a clear understanding of what open source code is used in their environment, stay up to date on patching, and even conduct their own vulnerability scans and assessments if necessary.
为了掌握使用开放源代码的潜在风险,公司需要清楚地了解其环境中使用了哪些开放源代码,保持最新的补丁,甚至在必要时进行漏洞扫描和评估。
An open source program office (OSPO) — a bureau of open source experts within your organization dedicated to overseeing how your company uses, creates and contributes to free software — can help coordinate all these efforts.
开源项目办公室(OSPO) -- 一个在你的组织内专门负责监督你的公司如何使用、创建和贡献自由软件的开源专家局办公室--可以帮助协调所有这些努力。
An OSPO can help a company get a handle on the open source code it uses and establish visibility into open source projects and tools, said Liz Miller, vice president and principal analyst at Constellation Research.
Constellation Research公司副总裁兼首席分析师Liz Miller说,OSPO可以帮助公司了解其使用的开放源代码,并建立对开放源代码项目和工具的可见性。
"Fundamentally, the purpose of an open source program office is to centralize the understanding of dependencies, implementation and utilization of open source code across an enterprise," Miller said. "There is a significant security benefit to an OSPO."
米勒说:"从根本上说,开放源码项目办公室的目的是集中了解整个企业对开放源码的依赖性、实施和利用。开放源码项目办公室带来了显著的安全优势。"
What's In Your Open Source Code?
你的开源代码里有什么?
Today's software is made up of components from a variety of sources. "It's never 100% one thing," said VMware's Ambiel.
今天的软件是由来自不同来源的组件组成的。"VMware的Ambiel说:"它从来不是100%的一件事。
"There's some code that you have written for the first time, so you obviously know what's in there. But you may have used some containerized software. And you are going to be reusing some code. And everyone uses open source code."
"有一些代码是你第一次写的,所以你显然知道里面有什么。但你可能已经使用了一些容器化软件。而你将会重复使用一些代码。而每个人都会使用开源代码"。
Recent studies differ on exactly how much open source code enterprises use, but it's a lot:
最近的研究对企业究竟使用多少开源代码有不同的看法,但很多都是:
A survey by The Linux Foundation, the TODO Group and The New Stack, published in September, found that 81% of respondents use open source software in their non-commercial or internal products at least sometimes, and 67% use it in their commercial or external products.
由Linux基金会、TODO工作组和The New Stack在9月发布的一项调查发现,81%的受访者至少有时在其非商业或内部产品中使用开源软件,67%的受访者在其商业或外部产品中使用开源软件。
Last April, application security testing company Synopsys reviewed the code of more than 1,500 enterprise software projects, both internal and commercial, and found that 98% of them contained some open source code. For an average application, 75% of the codebase was open source.
去年4月,应用安全测试公司Synopsys审查了1500多个企业软件项目的代码,包括内部和商业项目,发现其中98%的项目包含一些开放源代码。对于一个普通的应用程序,75%的代码库是开放源代码。
Here's the scary part: In Synopsys' analysis, 84% of the codebases had at least one vulnerability. And 91% of the open source components used hadn't seen any maintenance of the past two years.
这里是可怕的部分。根据Synopsys的分析,84%的代码库至少有一个漏洞。而且,91%的开源组件在过去两年中没有进行过任何维护。
Even open source code that has been in circulation for years and has been seen and used by millions can include vulnerabilities lurking layers deep in the code, said Miller.
米勒说,即使是已经流通多年并被数百万人看到和使用的开放源代码也可能包括潜伏在代码深处的漏洞。
"The reality of open source is that for the security professional, hearing that a software supply chain is filled with unchecked, unknown and completely invisible open source code is the stuff nightmares are made of," she said.
"开源的现实是,对于安全专业人员来说,听到软件供应链中充满了未经检查的、未知的和完全不可见的开源代码,这就是噩梦的内容。",她说
That's why software needs to come with a "bill of materials" said Ambiel, a complete inventory of all the components that go into a software package, and their versions and license terms.
这就是为什么软件需要附带 "物料清单 "的原因,Ambiel说,这是一份软件包中所有组件的完整清单,以及它们的版本和许可条款。
And there's a lot happening on that front. An OSPO can help companies stay on top of the latest recommendations, she said.
在这方面有很多事情发生。她说,OSPO可以帮助公司保持在最新建议的顶端。
For example, last May President Biden issued an executive order requiring a software bill of materials (commonly known as an SBOM) from vendors that provide software to the federal government.
例如,去年5月拜登总统发布了一项行政命令,要求向联邦政府提供软件的供应商提供软件物料清单(通常称为SBOM)。
Two days later, the Cloud Native Computing Foundation (CNCF) released a best-practices white paper recommending that all vendors provide an SBOM where possible, with clear and direct links to dependencies.
两天后,云原生计算基金会(CNCF)发布了一份最佳实践白皮书,建议所有供应商在可能的情况下提供一个SBOM,并与依赖关系有明确的直接联系。
The CNCF white paper also recommended that companies scan their software with software-composition analysis tools to detect vulnerable open source components, and use penetration testing to check for basic security errors or loopholes and resistance to standard attacks.
CNCF白皮书还建议公司用软件组合分析工具扫描他们的软件,以检测脆弱的开源组件,并使用渗透测试来检查基本的安全错误或漏洞以及对标准攻击的抵抗力。
> Companies need to have a clear understanding of what open source code is used in their environment, stay up to date on patching, and even conduct their own vulnerability scans and assessments if necessary. An OSPO can help coordinate those efforts.
> 公司需要清楚地了解他们的环境中使用了哪些开放源代码,保持最新的补丁,甚至在必要时进行自己的漏洞扫描和评估。OSPO可以帮助协调这些工作。
And more recently, the Linux Foundation published a report that provides additional insights and recommendations for best practice management of your software supply chain.
而最近,Linux基金会发布了一份报告,为软件供应链的最佳实践管理提供了更多的洞见和建议。
With an in-house OSPO in place, the professionals in that office can help educate developers on the best practices for creating SBOMs and also help establish Software Data Package Exchange (SDPX) standards, which is how SBOM information is communicated.
有了内部的OSPO,该办公室的专业人员可以帮助开发人员了解创建SBOM的最佳做法,还可以帮助建立软件数据包交换(SDPX)标准,这就是SBOM信息的交流方式。
It can also help devs keep abreast of emerging concepts like the new framework for software supply chain integrity, called Supply-Chain Levels for Software Artifacts, or SLSA, introduced by Google in collaboration with OpenSSF in 2021.
它还可以帮助开发人员跟上新兴的概念,如谷歌在2021年与OpenSSF合作推出的软件供应链完整性的新框架,称为软件制品的供应链级别,或SLSA。
Keeping up to date with these best practices is a challenge, said Ambiel. “Being a developer is hard enough, and asking them to take on that challenge pulls them away from the applications or products they’re trying to build.”
Ambiel说,保持与这些最佳实践的同步是一个挑战。"作为一个开发人员已经很困难了,要求他们承担这一挑战,会把他们从他们试图建立的应用程序或产品中拉出来。"
An OSPO “can bring in the best practices and apply them in the best way possible, given the company you are and the software development that you do,” Ambiel said.
安比尔说,OSPO "可以引入最佳实践,并以最佳方式应用它们,考虑到你的公司和你所做的软件开发,"。
Protecting Open Source Software from Attack
保护开源软件免受攻击
Attacks on the open source software supply chain increased 650% last year compared to 2020, according to Sonatype's state of the software supply chain report, released in September.
根据 Sonatype 公司 9 月份发布的软件供应链状况报告,与 2020 年相比,去年对开源软件供应链的攻击增加了 650%。
And that’s before the Log4J vulnerability came to light, called the most dangerous Java exploit in years by security researchers.
而这是在Log4J漏洞曝光之前,该漏洞被安全研究人员称为多年来最危险的Java漏洞。
An OSPO can help developers stay abreast of new developments in open source security and build more secure applications, while also staying on top of required updates and patches.
OSPO可以帮助开发者紧跟开源安全的新发展,建立更安全的应用程序,同时也能保持在所需的更新和补丁之上。
Software is constantly changing, and it’s a constant challenge for companies to keep up with those changes. An OSPO can also help create and maintain connections to open source communities that keep track of the latest changes in software, and these connections can help companies stay on top.
软件在不断变化,对公司来说,跟上这些变化是一个持续的挑战。OSPO还可以帮助创建和维护与开源社区的联系,这些社区跟踪软件的最新变化,这些联系可以帮助公司保持领先地位。
“What’s current today is technical debt tomorrow,” said Ambiel. “It’s a big job. But when it comes to these big ecosystem challenges, that’s where the open source community really shines and can step up.”
Ambiel说:"今天的现状,明天就是技术债务。这是一项大工作。但是,当涉及到这些大的生态系统挑战时,这就是开源社区真正闪亮的地方,并且可以加强。"
Keeping on top of code changes is a problem that everyone has, she said: “No one is excluded. Everybody has to pay attention to this.”
她说,保持对代码变化的关注是每个人都有的问题。"没有人被排除在外。每个人都必须关注这个问题"。
When companies open themselves up to new ideas from beyond their corporate borders, that’s when the best solutions come to bear, she added.
她补充说,当公司向来自其公司边界以外的新想法开放时,这就是最好的解决方案出现的时候。
For example, the open source community has been working on supply chain security and compliance for years. The Linux Foundation’s Tern project, which inspects container images, is part of its Automated Compliance Tooling initiative.
例如,开放源码社区多年来一直致力于供应链安全和合规。Linux基金会的Tern项目,检查容器镜像,是其自动合规工具倡议的一部分。
“What’s current today is technical debt tomorrow. It’s a big job. But when it comes to these big ecosystem challenges, that’s where the open source community really shines and can step up.”
—Suzanne Ambiel, director of open source marketing and strategy, VMware Tanzu
"今天的现行是明天的技术债务。这是一项大工作。但是,当涉及到这些大的生态系统挑战时,这就是开源社区真正发光发热的地方,可以挺身而出。"
-Suzanne Ambiel,VMware Tanzu开源营销和战略总监
An OSPO can also tap outside expertise through the OpenSSF, which is working on system solutions and ways to combat increasing attacks like typosquattingand malicious code.
OSPO还可以通过OpenSSF利用外部的专业知识,OpenSSF正在研究系统解决方案和方法,以打击越来越多的攻击,如恶意代码。
All of this is important because attackers are getting proactive, said David Wheeler, director of open source supply chain security at the Linux Foundation.
所有这些都很重要,因为攻击者越来越主动,Linux基金会的开源供应链安全总监David Wheeler说。
They directly inject malware into software source code or installable packages — sometimes, just submitting an update with malware in it and hoping nobody notices, or by stealing a developer’s password.
他们直接将恶意软件注入软件源代码或可安装包中--有时,只是提交一个含有恶意软件的更新,希望没有人注意到,或者通过窃取开发者的密码。
“Malicious code injection is the kind of attack that most people think about, yet in practice, it’s less common in open source software,” said Wheeler. “Still, it can be devastating when it happens.”
惠勒说:"恶意代码注入是大多数人想到的攻击方式,然而在实践中,它在开源软件中并不常见。但是,当它发生时,它可能是毁灭性的。"
The most common way to replace legitimate code with malicious code is by creating a duplicate package on a different repository. A developer might think they’re loading a trusted package from their in-house repository but load a package with the same name from a different, public repository because it has a later release date.
用恶意代码替换合法代码的最常见方式是在不同的资源库中创建一个重复的软件包。一个开发者可能认为他们正在从他们的内部仓库加载一个可信的软件包,但却从一个不同的公共仓库加载一个具有相同名称的软件包,因为它的发布日期较晚。
“Typosquatting is another common attack,” said Wheeler. This is when the malicious package has almost the same name as the real one. “The developer uses the malicious package instead — often because the developer makes a typo.”
Wheeler说:"Typosquatting是另一种常见的攻击。这是指恶意软件包的名称与真正的软件包几乎相同。开发者使用恶意包来代替 -- 通常是因为开发者打错了字。"
OSPOs and Open Source Communities
OSPO和开源社区
To guard against these kinds of attacks, Wheeler recommends that companies engage more with open source communities.
为了防范这类攻击,惠勒建议公司更多地参与开源社区。
Having an OSPO helps companies do just that. Fifty-six percent of participants in the Linux Foundation survey felt that engaging with the developer community was a chief responsibility of an OSPO, and almost 69% said promoting an open source culture in-house was a chief responsibility of an OSPO.
拥有一个OSPO可以帮助公司做到这一点。在Linux基金会的调查中,56%的参与者认为与开发者社区接触是OSPO的主要责任,近69%的参与者说在公司内部推广开源文化是OSPO的主要责任。
If an open source project is important to a company but the project doesn’t have multiple people reviewing code upgrades, then it might make sense to join the project.
如果一个开源项目对一个公司很重要,但该项目没有多人审查代码升级,那么加入该项目可能是有意义的。
“The costs of doing so are typically far less than trying to independently develop and maintain your own software,” Wheeler said.
惠勒说:"这样做的成本通常远远低于试图独立开发和维护自己的软件。"
He also suggested that companies get involved in the OpenSSF, a consortium of many organizations working on systemic solutions, such as distributing multifactor authentication tokens to software developers.
他还建议公司参与OpenSSF,这是一个由许多组织组成的联盟,致力于系统性的解决方案,例如向软件开发人员分发多因素认证令牌。
“Different organizations may choose to resolve these challenges differently,” Wheeler said. “But OSPOs are often well-placed to help.”
"不同的组织可能会选择不同的方式来解决这些挑战,"Wheeler说。"但OSPO通常有能力提供帮助"。
相关阅读 | Related Reading
CLA:减少开源社区合规风险的银弹?
[研究问卷] AI数据获取与开放的现状调查
开源共同体--程序员的乌托邦