Sign up now to get your free virtual ticket to the Code-Less/No-Code Summit on November 9. Hear from executives from Service Now, Credit Karma, Stitch Fix , Appian, etc looking for more information.
Open source is everywhere, a key element of almost every technology in use today.
This also makes it one of the biggest threats. Cyber Attacker are increasingly looking to exploit weaknesses – such as critical vulnerabilities, misconfigured services, or leaked secrets – across the software supply chain.
“The multitude of tools and processes, not to mention the huge number of open source binaries and libraries,,” said Stephen Chin, VP of developer relations at software supply chain security. all create opportunities for random and nefarious risks. JFrog.
To further its mission and promote wider adoption, Pyrsia now an incubator project under Continuous delivery Establish (CDF). JFrog, which launched Pyrsia alongside other industry leaders, made the announcement today at KubeCon.
“Pyrsia aims to provide a tool for establishing and verifying trust in the world of software distribution,” said Chin, who is also a board member of CDF.
He added that “we believe that open source security will only succeed if we provide the community with similar tools and services for businesses.”
Open source: Convenient, but easy to exploit
Recent research from Synopsis shows that open source libraries and components account for more than 75% of the code in the average software application. Furthermore, the average software application depends on more than 500 components.
As Chin noted, these open source dependencies are convenient, but they also create new vulnerabilities for threat actors to exploit.
Cybercrime damages the global economy $6 thousands of billions in 2021 – and this number is expected to grow to $10.5 trillion by 2025. Gartner research shows that 89% of companies have experienced a supplier risk event in the last 5 years, and one word study Argon Security indicates that attacks on software supply chains have increased by more than 300% from 2020 to 2021.
“Open source is everywhere, and while it has always been seen as a germ of innovation and modernisation, the recent rise in software supply chain attacks has made people vulnerable organizations.”
He identified three software supply chains security threats: unintentional vulnerabilities, intentional vulnerabilities and malware packages. And, unlike vulnerabilities that require an exploit, malware packages consist of malicious code that, when run, performs undesired actions and activities.
Chin describes Pyrsia as an open source, decentralized, secure building network and software package store that provides developers with an immutable, digitally signed chain of proofs for their code. surname.
Using certified and peer-verified builds, it aims to build trust in open source packages being used as dependencies in software development. It provides a decentralized packet network that understands packet coordinates, semantics, and discoverability.
Pyrsia integrates with existing package management systems so developers can certify their software components without mentioning compatibility, security or efficiency, according to Chin. It also continues to work even during a local power failure.
“We recently learned that no one is safe from cybercriminal activity, especially when bad actors put malicious packages into repositories,” said Fatih Degirmenci, chief executive officer of CDF. hub, wreaking havoc on downstream systems and applications,” said Fatih Degirmenci, chief executive officer of CDF. Pyrsia “puts power back in the hands of developers and, ultimately, drives innovation”.
Blockchain: An Immutable Ledger
To assert dependencies requires a reliable and verifiable log that is written once, read many times, and whose entries are immutable, explains Chin. The Trust also requires a tamper-proof database and ensures the detection and resolution of malicious additions.
And blockchain The technology has proven to be one of those immutable databases, as Chin explained, adding that blockchain implementations require a consensus mechanism based on Byzantine Fault Tolerance (BFT) – the ability of the next system to continue to work even if some nodes fail or operate harmfully.
This ensures that there is security against network takeovers, according to Chin, with consensus for each block of data committed. BFT algorithms are resistant to network-wide attacks and can tolerate up to a third of network failures.
Blockchain provides a scalable log of origin and is best suited for large amounts of on-chain data distributed across wide networks (as evidenced by its success in the crypto world).
The technology can improve the state of the software supply chain, Chin explains, by providing transparency on how open source software is built on the network.
“This transparency is intended to give developers confidence in using open source libraries in their production environments,” he said.
JFrog and other open source technology leaders – Docker, DeployHub, Futurewei and Oracle – teamed up to officially launch Pyrsia earlier this year. Since then, they have helped create collaboration opportunities between projects within the CDF to link safety packages to community tools, Chin explained.
Now, by working together, JFrog and CDF will ensure that Pyrsia grows its support and cohesion through the use of a centralized governance model, a defined roadmap, and broad representation in the industry. the larger open source and technology community, Chin explains.
“We are grateful for the help of our industry and community partners for joining us in ensuring open source so it can remain a true source of innovation,” he said.
VentureBeat’s mission is a digital city square for technical decision-makers to gain knowledge of transformative enterprise technology and transactions. Explore our summary report.