Register now for your free virtual pass to the Low-Code/No-Code Summit this November 9. Hear from executives from Service Now, Credit Karma, Stitch Fix, Appian, and more. Learn more.
Open-source is everywhere, a critical element of nearly every technology in use today.
This also makes it one of the greatest threat vectors. Cyberattackers are increasingly looking to exploit weak chinks — such as critical vulnerabilities, misconfigured services or leaked secrets — across the software supply chain.
“The myriad tools and processes, not to mention the huge amounts of open-source libraries and binaries, all introduce opportunities for accidental and nefarious injection of risk,” said Stephen Chin, VP of developer relations at software supply chain security company JFrog.
The open-source software initiative Pyrsia was introduced in May 2022 to help address this pervasive problem. It utilizes blockchain technology to secure software packages from vulnerabilities and malicious code.
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
To further its mission and foster broader adoption, Pyrsia is now an incubating project under the Continuous Delivery Foundation (CDF). JFrog, which launched Pyrsia with other industry leaders, made the announcement today at KubeCon.
“Pyrsia aims to provide a tool to establish and verify trust in the software delivery world,” said Chin, who is also governing board member for the CDF.
He added that “we believe that open-source security will only be successful if we provide the community with the same tools and services that are available to enterprises.”
Open source: Convenient, but easy to exploit
Recent research from Synopsys shows that open-source libraries and components make up more than 75% of the code in the average software application. Furthermore, the average software application depends on more than 500 components.
As Chin noted, these open-source dependencies are convenient, but they also present new vulnerabilities for threat actors to exploit.
Cybercrimes cost the global economy $6 trillion in 2021 — and this figure is expected to increase to $10.5 trillion by 2025. Gartner research reveals that 89% of companies experienced a supplier risk event in the last five years, and a study from Argon Security indicates that software supply chain attacks grew by more than 300% between 2020 and 2021.
“Open source is everywhere,” said Chin, “and while it has always been seen as a seed for innovation and modernization, the recent rise of software supply chain attacks has made every organization vulnerable.”
He identified three software supply chain security threats: unintentional vulnerabilities, intentional vulnerabilities and malicious software packages. And, unlike vulnerabilities that require exploitation, malicious software packages include malicious code that, when run, performs unwanted actions and activity.
Chin described Pyrsia as an open source-based, decentralized, secure build network and software package repository that provides developers with a digitally signed, immutable chain of evidence for their code.
Using certified and peer-verified builds, it aims to build trust for open-source packages being used as dependencies in software development. It provides a decentralized package network that understands package coordinates, semantics and discoverability.
Pyrsia integrates with existing package management systems so that developers can certify their software components without foregoing compatibility, security or efficiency, according to Chin. It also continues to work even if there are local outages.
“We’ve recently learned as an industry that no one is safe from cybercriminal activity, particularly when bad actors inject malicious packages into central repositories, wreaking havoc on downstream systems and applications,” said Fatih Degirmenci, executive director of the CDF. Pyrsia “puts the power back in the hands of developers and, ultimately, accelerates innovation.”
Blockchain: An immutable ledger
To assert dependencies requires a reliable and verifiable log that is written once, read many times, and has entries that are immutable, Chin explained. Trust also demands a database that is tamper-proof and guarantees the discovery and resolution of malicious additions.
And blockchain technology has proven to be one of those immutable databases, as Chin explained, adding that blockchain implementation requires a consensus mechanism based on Byzantine Fault Tolerance (BFT) — a system’s ability to continue operating even if some nodes fail or act maliciously.
This ensures that there is security against a takeover of the network, according to Chin, with consensus for each block of data committed. BFT algorithms are resilient against attacks spanning the network and can tolerate up to one-third of network failures.
Blockchain provides a scalable provenance log, and is best suited for large amounts of chained data distributed across wide networks (as evidenced in its success in the cryptocurrency world).
The technology can improve the state of the software supply chain by providing transparency into how open-source software is being built on the network, as Chin explained.
“This transparency is aimed to give developers the confidence to use the open-source library in their production environments,” he said.
JFrog and other open-source technology leaders — Docker, DeployHub, Futurewei and Oracle — collaborated to officially launch Pyrsia earlier this year. They have since helped to create opportunities for cross-project collaboration within the CDF to interlink secure packages with community tools, explained Chin.
Now, by working together, JFrog and the CDF will ensure that Pyrsia grows its backing and engagement through the use of a centralized governance model, defined roadmap, and broad representation within the wider technology and open-source communities, explained Chin.
“We’re grateful for the help of our industry partners and the community for joining us in securing open-source so it can remain a true fountain of innovation,” he said.