Defensive

Feds and npm Give advice on supply chain security to prevent another SolarWinds incident

Faster development times, innovation, and a thriving open-source community have all been made possible by the ability to use another developer’s project as a dependency. With many JavaScript projects relying on tens or even hundreds of dependencies, the package ecosystem known as npm—which supports TypeScript and JavaScript projects—has expanded to include 2.1 million packages. The biggest package ecosystem is npm, which is bigger than the ecosystems of the majority of other important programming languages put together.

https://github.com/ossf/wg-best-practices-os-developers

https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md

Dependencies come with risks as well. A dependent project can become broken by a simple dependency update. Furthermore, dependencies can have security flaws or be taken over like any other piece of software, which could have an impact on the projects that use them.

However, using dependencies typically has more advantages than disadvantages. Therefore, it is best to use (and maintain) dependencies with a well-thought-out and secure strategy. However, creating such a strategy can be difficult because they involve a unique set of issues that few developers are accustomed to handling. With the assistance of the OpenSSF, a number of members of the npm community and security professionals have collaborated to create these guidelines for the npm community.

This new “npm Best Practices” manual aims to assist developers and organizations dealing with such issues so that they can confidently consume dependencies.

The manual offers an overview of the supply chain security options offered by npm, outlines the dangers of using dependencies and suggests best practices to lessen those dangers at various project stages. The guidelines include information on how to set up a secure CI configuration, prevent dependency ambiguity, and minimize the effects of a hijacked dependency, for example. When developers adhere to this guide, their npm packages will be proactively hardened against the most frequent supply chain attacks. We also anticipate that these guidelines will be followed by automated tools like Scorecards and Allstar.

Please read the guide, put these suggestions into practice, spread the word to your friends and coworkers, and suggest changes.

There are numerous other language ecosystems, and we need assistance in order to produce more directive documents that will support developers in securely utilizing open source. Please get in touch with us in the repository for package manager best practices if you have comments on the npm document or would like to add to a best practice for another ecosystem.

It is now up to developers to take action after the US government and the Open Source Security Foundation released guidelines to strengthen software supply chain security.

This week, the US Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) jointly released a best practices framework for developers to prevent future supply chain attacks, turning the lessons learned from the SolarWinds software supply chain attack into useful advice.

In addition to the US government’s recommendations, the Open Source Security Foundation also provided developers with npm Best Practices in order to establish open source best practices for supply chain security.

The publication, Securing the Software Supply Chain for Developers, according to the agencies, “holds a critical responsibility to the security of our software.”

https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF

It became obvious that money needed to be invested in developing a set of best practices that were centered on the requirements of the software developer as ESF examined the circumstances leading up to the SolarWinds attack.

In contrast, the announcement from OpenSSF noted that the number of packages in the npm code repository has increased to 2.1 million.

Developers like Michael Burch, director of application security for Security Journey, applaud the industry’s proactive stance, but Burch adds that the cybersecurity industry must now put these guidelines into practice, particularly a recommendation for the implementation of software bills of materials (SBOMs).

In order to improve software supply chain security, Burch said, “What we need now is for the AppSec community to come together on the strength of this guidance and create a standard format and implementation for SBOMs.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.