Secure Software Supply Chains, Urges Former Go Lead Russ Cox

Writing in Communications of the ACM, former Go tech lead Russ Cox warns we need to keep improving defenses of software supply chains, highlighting 'promising approaches that should be more widely used' and 'areas where more work is needed.'
There are important steps we can take today, such as adopting software signatures in some form, making sure to scan for known vulnerabilities regularly, and being ready to update and redeploy software when critical new vulnerabilities are found. More development should be shifted to safer languages that make vulnerabilities and attacks less likely. We also need to find ways to fund open source development to make it less susceptible to takeover by the mere offer of free help. Relatively small investments in OpenSSL and XZ development could have prevented both the Heartbleed vulnerability and the XZ attack.

Some highlights from the 5,000-word article:

Make Builds Reproducible. 'The Reproducible Builds project aims to raise awareness of reproducible builds generally, as well as building tools to help progress toward complete reproducibility for all Linux software. The Go project recently arranged for Go itself to be completely reproducible given only the source code... A build for a given target produces the same distribution bits whether you build on Linux or Windows or Mac, whether the build host is X86 or ARM, and so on. Strong reproducibility makes it possible for others to easily verify that the binaries posted for download match the source code...'
Prevent Vulnerabilities. 'The most secure software dependencies are the ones not used in the first place: Every dependency adds risk... Another good way to prevent vulnerabilities is to use safer programming languages that remove error-prone language features or make them needed less often...'
Authenticate Software. ('Cryptographic signatures make it impossible to nefariously alter code between signing and verifying. The only problem left is key distribution...') 'The Go checksum database is a real-world example of this approach that protects millions of Go developers. The database holds the SHA256 checksum of every version of every public Go module...'
Fund Open Source. [Cox first cites the XKCD cartoon 'Dependencies,' calling it 'a disturbingly accurate assessment of the situation...'] 'The XZ attack is the clearest possible demonstration that the problem is not fixed. It was enabled as much by underfunding of open source as by any technical detail.'
The article also emphasized the importance of finding and fixing vulnerabilities quickly, arguing that software attacks must be made more difficult and expensive.
'We use source code downloaded from strangers on the Internet in our most critical applications; almost no one is checking the code.... We all have more work to do.'

Read more of this story at Slashdot.