In October 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published a white paper Software Identification Ecosystem Option Analysis. Following the release of that paper, the Department of Homeland Security (DHS), CISA's parent organization, initiated a request for comment (RFC), which closed last week.
The white paper addresses the critical challenges organizations face in needing to accurately track their connected systems of software development — also known as software supply chains.
CISA maintains this is essential for effective user support, inventory management, and vulnerability assessment, as they feel a harmonized software identification ecosystem is pivotal for correlating software information with vulnerabilities and patches, enhancing automation and software bill of materials (SBOM) utilization. In response, the Open Source Security Foundation (OpenSSF) has published a comprehensive response to the request for comments.
Charting a course with industry leaders
OpenSSF's blog post was a collaborative effort, co-authored by Dr. David A. Wheeler, director of open source supply chain security at the Linux Foundation, and Brian Fox, governing board member at the OpenSSF and chief technology officer (CTO) and co-founder of Sonatype. Fox also served as the OpenSSF CISA-RFC Committee Chair.
While acknowledging CISA's dedication to addressing a complex problem, Wheeler and Fox underscored the global dynamics of software development and advocated for an internationally supported solution.
Their blog post emphasized the critical nature of software identification in today's reality where nearly every company is a software company and the majority of software is open source.
A call for precision: Refining software identification strategies
OpenSSF stressed the importance of refining the problem statement, underlying requirements, and use cases, emphasizing a deeper exploration of specific use cases in their response to CISA.
They contended that software identifiers gain significance not intrinsically, but by enabling various tasks. According to OpenSSF, identifying key use cases provides a clearer path to solving the broader problem of software identification.
In challenging CISA's presumptions, particularly the requirements against "identifier reuse" and "overidentification," OpenSSF argues that these are derived requirements and may not always be practical. Their response suggests a shift in focus towards use cases for increased flexibility.
Furthermore, the OpenSSF blog post highlighted the global nature of software development, emphasizing the necessity for any solution to garner international support. They argued against the feasibility of a single identifier system, proposing the definition and widespread sharing of conventions instead.
Proposed starting points for a solution
OpenSSF identified the following starting points for a potential solution:
- Leverage the domain name system (DNS) as a global namespace for software: OpenSSF suggested using DNS as a global namespace for software, citing its scalability and international support. In their blog post, they noted that some ecosystems already use reverse-DNS names, providing a countermeasure against typosquatting and dependency confusion.
- Incorporate cryptographic hashes: While acknowledging cryptographic hashes as essential for specific identification, OpenSSF cautioned against relying on them alone due to their limitations, such as being over-precise, non-human-readable, and lacking semantic information.
- Establish package URL (purl) as a de facto standard: OpenSSF highlights purl as a de facto standard in many situations, especially in the context of OpenSSF Open Source Vulnerability (OSV) schema, Sonatype's OSS Index, SPDX, and CycloneDX. Purl is commended for being human-readable and carrying semantic information, building on DNS and allowing for extension to support new ecosystems.
Collaborative effort and international cooperation
OpenSSF posited that a single software identifier for all cases is unlikely. Instead, they assert the focus should be on defining and sharing conventions to address real-world use cases. The response encouraged consistency, scalability, reproducibility, and global applicability in any proposed solution.
The OpenSSF response reflects a collaborative effort within the industry to contribute to improving the security of open source software. The blog post encourages ongoing international cooperation in finding effective solutions to the challenges posed by software identification.
Sonatype and OpenSSF: A powerful partnership for software security
To enhance security of open source software, the collaboration between Sonatype and OpenSSF illustrates a partnership committed to securing software supply chains. Sonatype, as the stewards of Maven Central, and OpenSSF have joined forces on various initiatives, showcasing their dedication to advancing the field.
Last month, the OpenSSF published comments in response to a request from the ONCD for information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization. The OpenSSF committee responsible for comments to the DHS was also chaired by Fox, and included input from Wheeler, and a similar cadre of organizations.
However, this isn't limited to comments on public policy. More collaboration involves cross-foundational efforts, such as in the recent Cloud Native Security Slam. Through this event, the Cloud Native Computing Foundation (CNCF) increases their usage of OpenSSF Scorecard through their security measurement tool, CLOMonitor. The event is organized by Eddie Knight, the technical program manager for Sonatype's open source program office (OSPO). As part of this event, Sonatype has created courses for the OpenSSF Education Special Interest Group (SIG), and served as a communication bridge between OpenSSF and the CNCF's Security Technical Advisory Group. The former effort resulted in publication of official Linux Foundation Training courses on OpenSSF Scorecard, SBOMs and signatures, and open source security self-assessments.
Another significant project demonstrating the OpenSSF and Sonatype partnership is the Open Source Consumption Manifesto, which counts Brian Fox and Jeff Wayman as co-authors. Along with other members of the OpenSSF, Sonatype worked to shape this manifesto, emphasizing best practices in the consumption of open source software.
Fox's involvement also underscores the depth of collaboration between Sonatype and OpenSSF and their shared commitment to addressing critical challenges in global software development.
As the industry grapples with the complexities outlined in CISA's white paper, the collaboration between Sonatype and OpenSSF serves as a beacon of effective partnership. Their combined expertise and dedication to software security contribute significantly to ongoing international efforts aimed at finding innovative and practical solutions to the challenges posed by software identification.