Open Source / Security

Get a Handle on Software Supply Chain Security with LFX

8 Nov 2021 11:28am, by

Ransomware deservedly makes the headlines, but protecting the software supply chain security is just as important. At the recent Linux Foundation Member Summit, Jim Zemlin, the Linux Foundation executive director unveiled its newest effort in protecting our code: LFX Security.

LFX Security currently supports dependency and vulnerability scanning for JavaScript, Node.js (npm), Java, .NET, Scala, Ruby, Python, Golang, and PHP. It will work with any of the popular source-control systems (SCS). This includes GitHub, Bitbucket, GitLab, Azure, etc, etc.

It does this by both automatic scanning for vulnerabilities, via Snyk‘s open-source security platform and, now it looks for secrets-in-code and non-inclusive language via BluBracket‘s automatic scanning functionality. It’s a powerful one-two punch.

Snyk, as you probably know, does this by hunting for almost 12,000 known open source vulnerabilities in your codebase. This helps you clean your software supply chains at their source.

Security Issues are classified as high, medium, or low risk based on databases. This is based in part on Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) records. An inventory of your project’s detected dependencies and licenses is then mapped along with the dependency details.

Since new security vulnerabilities appear every day, the LFX Security vulnerability database is updated every week. It’s updated from weekly checks against thousands of approved open source repository vulnerability databases, bug bounties, security advisories, and security articles and reports. A zero-day can still make its way through, but you’ll be safe from most known bugs.

The Snyk component also looks up and reports on your licenses. It does this by scanning your project’s Git-based repository and tracking down your dependencies’ licenses against the Software Package Data Exchange (SPDX) license list. Besides being popular in its own right, SPDX is now an ISO standard. It can be tricky working out which license applies to a given dependency, Generally, it’s worked out by looking at the stated license on the package, metadata from the registry, and license information in manifest files.

BluBracket brings scanning for secrets-in-code, such as passwords, credentials, keys, and access tokens both pre-and post-commit. secrets-in-code and non-inclusive language, to LFX Security.

What kind of secrets-in-code? BluBracket’s services scan for passwords, credentials, keys, and both pre-and post-commit access tokens. If these are left embedded in your code, it makes it all too easy for hackers to waltz their way into your repositories and active code. It’s rumored that the recent massive Twitch hack may have resulted from secrets embedded in its running code.

BluBracket can also detect non-inclusive and offensive language in project code. BluBracket is working with the Inclusive Naming Initiative on this functionality.

There is one odd thing though with BluBracket’s offering. Its service’s code, unlike Snyk’s, has not been open-sourced. Indeed, in the service’s terms and conditions, the company flat out states: “Customer shall not, and shall not permit others to: (a) alter, reverse engineer, decompile, disassemble, create derivative works, or otherwise seek to obtain the source code of, or APIs to the BluBracket Platform and Applications or any portion thereof.” This is not what I expected to find in a service being offered under the Linux Foundation name.

The results can only be seen by maintainers and contributors on the LFX Security display. But, if your project is on a public repository, anyone who can see the repository can see the vulnerability summary that shows the total number of issues.

To put LFX Security to work you must onboard your project from your SCS to LFX Security. You do this from the LFX Security Project Control Center. As part of this onboarding, a security bot is installed on your SCS. For now, the system is still GitHub-centric. It’s also still coming together and as I write it’s not available. To get their attention, you can get on the waiting list or use your Linux Foundation membership to raise a ticket. But, it will be soon. Come that day, if you can live with the licensing, I urge you to check it out.