Number 3
May 3, 2023

The software supply chain

Some countries have laws that require certain foods to be traceable. For example, you can go to a restaurant in Spain and order a ribeye, and then learn all kinds of information about that ribeye: which cow it came from, where that cow was born, where it was raised, what it ate, where it was slaughtered, etc. However, when you install a game on your phone while you wait for your delicious and traceable ribeye, you often find it difficult to learn any information about that software. Sometimes, you don’t even know who made it!

Little Red Riding Hood talks to the wolf, who’s disguised as her granny.“Are you really my granny? Let me check your certificate…”

Some people have been worrying about this problem for years; that’s why some platforms require all installable software to be digitally signed. However, most companies still have little control over where their software comes from, which worries many governments because this problem has already caused grave trouble.

For example, the maker of Ukraine’s most popular accounting package was hacked in 2017, and the attackers snuck some “extra” code in a software update. The next day, the whole country was paralyzed by a ransomware attack.

Something similar happened in 2020 with the Solarwinds hacks (though other companies were hacked too.) Just like in 2017, the hackers tampered with some products used by many customers, including governments. When those customers installed the altered versions, the hackers gained access and started a gigantic spy campaign.

Cyberattacks are not the only issue. In December 2021, a security vulnerability was found in the Log4j package, used in almost every “serious” Java program. As a result, the whole industry went bonkers because, to solve the problem, every company needed to inventory, verify, and update every program in every computer they owned.

After these incidents, the US government decided this could not keep happening and started talking with top software companies to develop mechanisms to fortify the software supply chain.

This is not about keeping ships full of bytes from running aground in the Suez Canal or ensuring that there are enough trucks to carry TCP/IP packets across the country; the idea is to be able to trace the origin of a piece of software just like you can trace that of a ribeye: who wrote each line of code, what libraries it uses, how it was compiled, etc.

Since there is a lot of money in keeping governments happy, we’ll see many proposals, systems, and frameworks addressing this issue over the next few years. We will probably end up with something similar to SLSA, where the whole compilation and packaging process is automated and generates a digitally-signed, tamper-proof “software bill of materials” that serves as a certificate of what’s in the software and how it was produced, and that can be used to keep an inventory of what software runs in what computers.

The most important feature of this system is that humans are not allowed access to the keys that generate valid certificates. In this way, the 2017 and 2020 hackers wouldn’t have been able to insert malicious code unnoticed: the certificates for those updates would have become invalid, and the attackers would not have been able to generate new, valid certificates.

Additionally, thanks to inventories derived from the software bill of materials, next time we have a debacle like the Log4j fracas, the organizations affected can verify where they use the vulnerable versions and go straight to the affected computers to clean them up.

If you sell software, you should start getting ready for the day when you must provide traceability information: use version control, track your dependencies, and automate your build and publication pipelines. By doing this today, you will be ready for tomorrow.

The illustration for this Coding Sheet comes from “Hansel & Grethel & Other Tales.”