Microsoft has open sourced its framework for managing open supply in software program growth.
Software growth isn’t solely about code; extra importantly, it’s pushed by a set of finest practices and tips that assist us write higher and safer software program. Like all giant software program firms, Microsoft has developed its personal set of insurance policies and procedures to implement approaches like its Secure Software Development Lifecycle.
SEE: Google Workspace vs. Microsoft 365: A side-by-side evaluation w/guidelines (TechRepublic Premium)
One of the most important issues going through software program growth right now is the rising software program provide chain, the place closed and open supply elements come collectively to construct acquainted purposes. But as current issues have proven, it’s simple to by chance embrace safety points in your code when a trusted element is compromised. Modern software program depends on sources like Docker Hub, NuGet and npm, pulling in code that might come from giant enterprise software program groups or from one developer working of their restricted spare time, scratching their very own itch and sharing the ensuing code with the remainder of the world.
Jump to:
Securing the software program provide chain
The modular nature of contemporary code makes it arduous to trace all these numerous elements, particularly after we’re taking a look at lengthy and complicated dependency chains. You solely have to put in a brand new bundle on a Linux machine to see the chain of dependencies that include a easy piece of software program. Those seen dependencies are solely a part of the story, as different libraries and elements are compiled into the code you’re utilizing, together with their very own dependencies and so forth down the chain.
It’s clear we’d like a set of finest practices to handle rising software program provide chains, particularly after we could not know the whole provenance of the code we’re utilizing. Tools like Software Bills Of Materials are necessary, however they’re solely a device that exhibits what we all know in regards to the software program we’re utilizing, not your entire provide chain. With malicious actors aiming to compromise software program earlier than it’s distributed to element repositories, you should shift from trusting all of the code you utilize to energetic skepticism, testing and retesting earlier than it crosses into your trusted networks.
Microsoft’s transfer towards provide chain transparency
Industrywide, there’s been much more concentrate on SBOMs and the software program provide chain for the reason that White House issued its “Improving the Nation’s Cybersecurity” government order. As a part of its response to the US authorities’s insurance policies, Microsoft has been opening its inner tooling to the surface world open sourcing instruments like its Software Package Data Exchange-based SBOM device. That’s now been adopted by one thing that’s much less tangible, however simply as necessary: the Secure Supply Chain Consumption Framework, S2C2F.
Part of its inner processes since 2019, S2C2F started life because the Open Source Software-Supply Chain Framework, serving to handle how Microsoft each consumed and contributed to open supply initiatives. With many 1000’s of builders working with open supply, it’s important to have a method of managing these interactions to guard Microsoft’s many hundreds of thousands of customers — in addition to the numerous hundreds of thousands of consumers and customers of different merchandise that rely on Microsoft’s written and maintained open supply elements.
What is SC2C2F and the way is it used?
The purpose of processes like S2C2F is to have a method of seeing how your group interacts with open supply, taking a look at attainable areas of threat and offering a repeatable set of actions that may hold any threats to a minimal. What’s maybe most attention-grabbing about S2C2F is that it’s coupled with a maturity mannequin, serving to you get the appropriate degree of compliance in your growth course of.
Eight practices to safe code
At the guts of S2C2F are eight completely different practices, which concentrate on particular interactions with open supply code and on the threats related to them:
- Ingest
- Inventory
- Update
- Enforce
- Audit
- Scan
- Rebuild
- Fix and upstream
Each is one level within the software program growth life cycle the place you’re employed with open supply code, libraries or elements, and the place you should take into account threats and dangers.
It can be simple to put in writing an entire e book on these practices, as they cowl the way you convey open supply code into your software program growth processes, the way you analyze and take a look at it, and the way you be certain that it’s match for goal — passing on all the teachings you’ve realized to different potential customers by turning into a part of the neighborhood round code, submitting change requests and even turning into a challenge maintainer your self, with all of the obligations that entails. Once you’re utilizing these practices in your software program growth lifecycle, you should take into account how mature your processes are.
Four ranges of safe organizational maturity
There are 4 ranges of maturity. Level 1 is how most organizations work with open supply, retaining a list of what’s getting used and scanning incoming software program and libraries for vulnerabilities utilizing off-the-shelf safety instruments. Level 1 requires you to ensure all dependencies are updated and scanned utilizing the identical instruments because the software program you meant to make use of.
Level 2 accelerates the Level 1 processes so that you’re patching dangers faster than any malicious actors and getting your fixes out earlier than any zero days are in use.
Moving to Level 3 requires much more work, as you should have proactive safety instruments in use and incoming software program segregated out of your growth setting till it’s been examined and secured. The purpose of this degree is to make sure you don’t let compromised software program into your community.
Much of the tooling required to achieve Level 4 is uncommon or non-existent, because it requires working at scale to guard your code in actual time. Most companies ought to subsequently purpose for Level 3. Level 4 firms will rebuild all elements on their very own infrastructure after deep code scanning and verify every element towards their very own SBOM earlier than digitally signing the rebuilt code.
Open sourcing S2C2F
Microsoft not too long ago introduced that S2C2F had been adopted by the Open Source Security Foundation as a part of the work of its Supply Chain Integrity Working Group. The intent is to make use of it as the premise of a course of that’s in a position to construct on the work of all OSSF members — not solely Microsoft — with the method and practices being focused at CISOs and safety practitioners with a duty for software program growth.
It’s a piece that’s nonetheless very a lot in progress, however one which’s going to be value following. Part of the preliminary work of the OSSF is a paper that maps S2C2F to different open supply provide chain administration specs, so in the event you’re already utilizing your individual or one other course of, you can begin to convey the teachings Microsoft has realized into your individual enterprise.
With open supply, we will profit from the work of different firms and people, and that’s as a lot about how they do issues as what they produce. SC2C2F could have been designed for Microsoft, however its ideas are appropriate for any software program growth course of.