共计 11496 个字符,预计需要花费 29 分钟才能阅读完成。
It’s nearly impossible these days to build software without using open source code. But all that free software carries additional security risks.
现在,应用开源代码来构建软件简直不可避免。但所有这些自由软件都可能带来额定的平安危险。
Organizations grapple with how best to secure their open source software supply chain. But there’s another problem: Many companies don’t even know how many open source applications they have — or what’s in them.
企业正在致力解决如何最好地爱护他们的开源软件供应链。但有另外一个问题:许多公司甚至不晓得他们应用了多少开源程序 – 或其中蕴含什么。
The worst-case scenarios include debacles like 2021’s Log4j security vulnerability, or what happened with SolarWinds’ proprietary Orion network monitoring product, which was infected with malware in 2020.
最坏的状况包含像 2021 年的 Log4j 安全漏洞事件,或 2020 年产生在 SolarWinds 公有的 Orion 网络监控产品上的恶意软件攻打事件。
For companies that build and ship software, the best practice is to “ship what you know and know what you ship,” according to Suzanne Ambiel, director of open source marketing and strategy at VMware Tanzu. And that “shipping manifest” applies to open source and proprietary code equally.
VMware Tanzu 公司的开源营销和策略总监 Suzanne Ambiel 认为,对于开发和交付软件的公司来说,最好的做法是“充沛理解所交付软件产品的组成”。这种“交付清单”同样实用于开源代码和公有代码。
“Your customer and user community is trusting that what you are providing to them is good and clean and secure,” she said. “They trust you to have done the hard work, and that you know what’s in your software.”
Ambiel 示意:“客户和用户群体信赖你提供给他们的是高质量的、洁净的、平安的软件。他们置信你(在软件开发中)做了很多工作,并且置信你理解你的软件里有什么。”
In order to get a handle on the potential risks involved with using open source, companies need to have a clear understanding of what open source code is used in their environment, stay up to date on patching, and even conduct their own vulnerability scans and assessments if necessary.
为了治理因应用开源代码而带来的潜在危险,每个公司须要分明地理解其环境中应用了哪些开源代码,及时更新补丁,甚至在必要时进行破绽扫描和评估。
An open source program office (OSPO) — a bureau of open source experts within your organization dedicated to overseeing how your company uses, creates and contributes to free software — can help coordinate all these efforts.
开源我的项目办公室(OSPO)— 一个由企业外部开源专家组成的机构,该机构专门负责管理公司如何应用、创立和奉献自由软件。— 能够帮忙协调所有这些工作。
An OSPO can help a company get a handle on the open source code it uses and establish visibility into open source projects and tools, said Liz Miller, vice president and principal analyst at Constellation Research.
Constellation Research 公司副总裁兼首席分析师 Liz Miller 认为,开源我的项目办公室能够帮忙公司理解其应用的开源代码,并建设对开源代码我的项目和工具的可见性。
“Fundamentally, the purpose of an open source program office is to centralize the understanding of dependencies, implementation and utilization of open source code across an enterprise,” Miller said. “There is a significant security benefit to an OSPO.”
Miller 示意:“从根本上说,开源我的项目办公室的目标是集中理解整个企业对代码依赖关系,和对开源代码的施行和利用。开源我的项目办公室带来了显著的平安劣势。”
- What’s In Your Open Source Code?
你的开源代码里有什么?
Today’s software is made up of components from a variety of sources. “It’s never 100% one thing,” said VMware’s Ambiel.
当今的软件中组件的起源有很多。VMware 的 Ambiel 示意:“它永远不可能只有一个起源。”
“There’s some code that you have written for the first time, so you obviously know what’s in there. But you may have used some containerized software. And you are going to be reusing some code. And everyone uses open source code.”
“有一些代码是你第一次写的,所以很显然你理解外面有什么。此外,你可能用了一些容器化软件。兴许你也会重复使用一些代码。综上,开源代码 (简直) 人人都要应用。”
Recent studies differ on exactly how much open source code enterprises use, but it’s a lot:
只管最近的钻研对企业到底应用了多少 (比例)开源代码有不同的认识,但这个数字很大:
A survey by The Linux Foundation, the TODO Group and The New Stack, published in September, found that 81% of respondents use open source software in their non-commercial or internal products at least sometimes, and 67% use it in their commercial or external products.
由 Linux 基金会、TODO 工作组和 The New Stack 在 9 月公布的一项考察发现,81% 的受访者示意至多有时会在其非商业或外部产品中应用开源软件,67% 的受访者在其商业或对外公布的产品中应用了开源软件。
Last April, application security testing company Synopsys reviewed the code of more than 1,500 enterprise software projects, both internal and commercial, and found that 98% of them contained some open source code. For an average application, 75% of the codebase was open source.
去年 4 月,利用平安测试公司 Synopsys 审查了 1,500 多家企业软件我的项目的代码,包含外部和商业我的项目,发现其中 98% 的我的项目蕴含一些开源代码。大体上,每个代码库中开源代码的比例是 75%。
Here’s the scary part: In Synopsys’ analysis, 84% of the codebases had at least one vulnerability. And 91% of the open source components used hadn’t seen any maintenance of the past two years.
可怕的是,依据 Synopsys 的剖析,84% 的代码库至多有一个破绽。而且,91% 的开源组件在过来两年中没有进行过任何保护。
Even open source code that has been in circulation for years and has been seen and used by millions can include vulnerabilities lurking layers deep in the code, said Miller.
Miller 示意,即便是曾经公布多年并被数百万人浏览和应用的开源代码也可能包含潜藏在代码深处的破绽。
“The reality of open source is that for the security professional, hearing that a software supply chain is filled with unchecked, unknown and completely invisible open source code is the stuff nightmares are made of,” she said.
“开源的事实是,对于业余平安人员来说,听到软件供应链中充斥了未经查看的、未知的和齐全不可见的开源代码,这就是噩梦。”Miller 说道。
That’s why software needs to come with a “bill of materials” said Ambiel, a complete inventory of all the components that go into a software package, and their versions and license terms.
Ambiel 示意,这就是为什么软件须要附带“物料清单”的起因,一份残缺的软件包中的组件(清单)及其版本和许可证条款。
And there’s a lot happening on that front. An OSPO can help companies stay on top of the latest recommendations, she said.
这方面波及了很多的点。她说,OSPO 能够帮忙公司时刻紧跟最新的倡议。
For example, last May President Biden issued an executive order requiring a software bill of materials (commonly known as an SBOM) from vendors that provide software to the federal government.
例如,去年 5 月拜登总统公布了一项行政命令,要求向联邦政府提供软件的供应商提供软件物料清单(通常称为 SBOM)。
Two days later, the Cloud Native Computing Foundation (CNCF) released a best-practices white paper recommending that all vendors provide an SBOM where possible, with clear and direct links to dependencies.
两天后,云原生计算基金会(CNCF)公布了一份最佳实际白皮书,倡议所有供应商在可能的状况下提供物料清单(SBOM),并蕴含清晰、间接的依赖链接。
The CNCF white paper also recommended that companies scan their software with software-composition analysis tools to detect vulnerable open source components, and use penetration testing to check for basic security errors or loopholes and resistance to standard attacks.
CNCF 白皮书还倡议公司用软件组成剖析工具进行软件扫描,以检测开源组件中的缺点,并应用浸透测试来查看根本的平安谬误或破绽以及对规范攻打的抵抗力。
Companies need to have a clear understanding of what open source code is used in their environment, stay up to date on patching, and even conduct their own vulnerability scans and assessments if necessary. An OSPO can help coordinate those efforts.
公司须要分明地理解他们的环境中应用了哪些开源代码,及时更新补丁,甚至在必要时进行破绽扫描和评估。开源我的项目办公室能够帮忙协调这些工作。
And more recently, the Linux Foundation published a report that provides additional insights and recommendations for best practice management of your software supply chain.
最近,Linux 基金会公布了一份报告,为软件供应链的最佳实际治理提供了更多的洞见和倡议。
With an in-house OSPO in place, the professionals in that office can help educate developers on the best practices for creating SBOMs and also help establish Software Package Data Exchange (SPDX) standards, which is how SBOM information is communicated.
有了外部的开源我的项目办公室,业余人员能够帮忙开发人员理解创立 SBOM 的最佳实际,还能够帮忙建设软件包数据交换(SPDX)规范,即 SBOM 信息的传递形式。
It can also help devs keep abreast of emerging concepts like the new framework for software supply chain integrity, called Supply-Chain Levels for Software Artifacts, or SLSA, introduced by Google in collaboration with OpenSSF in 2021.
它还能够帮忙开发人员跟上新兴的概念,如 2021 年谷歌与 OpenSSF 单干推出的软件供应链完整性的新框架,被称为软件制品的供应链级别(SLSA)。
Keeping up to date with these best practices is a challenge, said Ambiel.“Being a developer is hard enough, and asking them to take on that challenge pulls them away from the applications or products they’re trying to build.”
Ambiel 示意,放弃与这些最佳实际的同步是一个挑战。“软件开发者曾经很辛苦了,再要求他们承当这一挑战,将耽搁他们致力构建的利用或产品。”
An OSPO“can bring in the best practices and apply them in the best way possible, given the company you are and the software development that you do,”Ambiel said.
“OSPO 能够为公司和软件开发带来最佳实际,并以最好的形式利用这些实际。”Ambiel 补充道。
- Protecting Open Source Software from Attack
爱护开源软件免受攻打
Attacks on the open source software supply chain increased 650% last year compared to 2020, according to Sonatype’s state of the software supply chain report, released in September.
依据 Sonatype 公司去年 9 月份公布的软件供应链情况报告,与 2020 年相比,攻打比例减少了 650%。
And that’s before the Log4J vulnerability came to light, called the most dangerous Java exploit in years by security researchers.
而这还是在被平安钻研人员称为多年来最危险的 Java 破绽——Log4J 破绽被曝光之前的数据。
An OSPO can help developers stay abreast of new developments in open source security and build more secure applications, while also staying on top of required updates and patches.
开源我的项目办公室能够帮忙开发者紧跟开源平安的新倒退方向,建设更平安的利用,同时也能及时把握所需的更新和补丁。
Software is constantly changing, and it’s a constant challenge for companies to keep up with those changes. An OSPO can also help create and maintain connections to open source communities that keep track of the latest changes in software, and these connections can help companies stay on top.
软件在一直变动,对公司来说,跟上这些变动是一个继续的挑战。OSPO 还能够帮忙创立和保护与开源社区的分割,跟踪软件的最新变动,帮忙公司放弃领先地位。
“What’s current today is technical debt tomorrow,”said Ambiel.“It’s a big job. But when it comes to these big ecosystem challenges, that’s where the open source community really shines and can step up.”
Ambiel 示意:“明天的问题就是今天的技术债。这是一项艰巨的工作。然而,当波及到这些大的生态系统挑战时,这正是开源社区闪耀价值并发挥作用的中央。”
Keeping on top of code changes is a problem that everyone has, she said:“No one is excluded. Everybody has to pay attention to this.” When companies open themselves up to new ideas from beyond their corporate borders, that’s when the best solutions come to bear, she added.
放弃对代码变动的关注是每个人都须要面对的问题。“没有人能置身事外。每个人都必须关注这个问题。”当公司拥抱其边界以外的新概念新想法的时候,这就是最好的解决方案呈现的时候。
For example, the open source community has been working on supply chain security and compliance for years. The Linux Foundation’s Tern project, which inspects container images, is part of its Automated Compliance Tooling initiative.
例如,开源社区多年来始终致力于供应链平安和合规。比方 Linux 基金会的 Tern 我的项目,能够对容器镜像进行查看,是其 ACT(Automated Compliance Tooling)倡导的一部分。
An OSPO can also tap outside expertise through the OpenSSF, which is working on system solutions and ways to combat increasing attacks like typosquattingand malicious code.
OSPO 还能够通过 OpenSSF 利用内部的专业知识。OpenSSF 正在钻研零碎解决方案和办法,以打击越来越多的攻打,如恶意代码。
All of this is important because attackers are getting proactive, said David Wheeler, director of open source supply chain security at the Linux Foundation.
Linux 基金会的开源供应链平安总监 David Wheeler 示意,所有这些都很重要,因为攻击者越来越被动。
They directly inject malware into software source code or installable packages — sometimes, just submitting an update with malware in it and hoping nobody notices, or by stealing a developer’s password.
他们间接将恶意软件注入软件源代码或安装包中 — 有时,只须要提交一个含有恶意软件的更新,并心愿不被发现,或者通过窃取开发者的明码的形式。
“Malicious code injection is the kind of attack that most people think about, yet in practice, it’s less common in open source software,”said Wheeler.“Still, it can be devastating when it happens.”
Wheeler 说:“恶意代码注入是大多数人能想到的攻击方式,然而在实践中,它在开源软件中并不常见。然而,当它产生时,它可能是毁灭性的。”
The most common way to replace legitimate code with malicious code is by creating a duplicate package on a different repository. A developer might think they’re loading a trusted package from their in-house repository but load a package with the same name from a different, public repository because it has a later release date.
用恶意代码替换非法代码的最常见形式是在不同的资源库中创立一个反复的软件包。开发者可能会误认为他们正在从外部仓库加载一个可信的软件包,但却从一个不同的公共仓库加载一个同名的软件包,因为它的公布日期较晚。
“Typosquatting is another common attack,”said Wheeler. This is when the malicious package has almost the same name as the real one.“The developer uses the malicious package instead — often because the developer makes a typo.”
“Typosquatting 是另一种常见的攻击方式。”这是指恶意软件包的名称与真正的软件包简直雷同。通常产生在开发者输出不正确信息的状况下,会被疏导应用恶意软件。”Wheeler 说道。
- OSPOs and Open Source Communities
OSPO 和开源社区
To guard against these kinds of attacks, Wheeler recommends that companies engage more with open source communities.
为了防备这类攻打,Wheeler 倡议公司更多地参加开源社区。
Having an OSPO helps companies do just that. Fifty-six percent of participants in the Linux Foundation survey felt that engaging with the developer community was a chief responsibility of an OSPO, and almost 69% said promoting an open source culture in-house was a chief responsibility of an OSPO.
领有一个 OSPO 能够帮忙公司做到这一点。在 Linux 基金会的考察中,56% 的参与者认为与开发者社区接触是 OSPO 的次要责任,近 69% 的参与者说在公司外部推广开源文化是 OSPO 的次要责任。
If an open source project is important to a company but the project doesn’t have multiple people reviewing code upgrades, then it might make sense to join the project.
如果某个开源我的项目对一家公司很重要,但该我的项目没有多人审查代码降级,那么退出该我的项目可能是理智的做法。
“The costs of doing so are typically far less than trying to independently develop and maintain your own software,”Wheeler said.
Wheeler 说:” 这样做的老本通常远远低于试图独立开发和保护本人的软件。”
He also suggested that companies get involved in the OpenSSF, a consortium of many organizations working on systemic solutions, such as distributing multifactor authentication tokens to software developers.
他还倡议公司参加 OpenSSF,这是一个由许多组织组成的联盟,致力于提供系统性的解决方案,例如向软件开发人员散发多因素身份验证令牌。
“Different organizations may choose to resolve these challenges differently,”Wheeler said.“But OSPOs are often well-placed to help.”
“不同的组织可能会抉择不同的形式来解决这些挑战,”Wheeler 示意。“但开源我的项目办公室的帮忙通常更加到位。”
原文链接:
https://thenewstack.io/how-an…
