Russia's historically destructive NotPetya malware attack and its more recent SolarWinds cyberespionage campaign have something in common besides the Kremlin: They're both real-world examples of software supply chain attacks. It's a term for what happens when a hacker slips malicious code into legitimate software that can spread far and wide. And as more supply chain attacks emerge, a new open source project is angling to take a stand, making a crucial safeguard free and easy to implement.
The founders of Sigstore hope that their platform will spur adoption of code signing, an important protection for software supply chains but one that popular and widely used open source software often overlooks. Open source developers don't always have the resources, time, expertise, or wherewithal to fully implement code signing on top of all the other nonnegotiable components they need to build for their code to function.
“Until about a year and a half ago I felt like the crazy person standing on the corner with a sign that says, ‘The End Is Coming.’ Nobody understood the problem,” says Dan Lorenc, an open source software supply chain researcher and engineer at Google. “But in the past year things have changed considerably. Now everybody is talking about supply chain security, we have an Executive Order about it, and everybody is starting to realize how critical open source is and how we need to actually put some resources behind fixing the ..
Support the originator by clicking the read the rest link below.
