Tracy Ragan: My Favorite Open Source Security Projects
“Every one of us has a superpower. Go apply your superpowers to one of these groups because we really, really need you,” said Ragan, who in a keynote lauded the work of the Open Source Security Foundation (OpenSSF) and the hardworking movers and shakers behind it.
Security has become a dominant theme in the open source world, she noted, and though, “we’re all working very, very hard to produce software that is secure and has high quality … now we’re realizing we have to do better.”
It should be noted that Ragan, the CEO and co-founder of DeployHub, is up to her eyeballs in participation herself. She has served on the OpenSSF Governing Board, and was a founding board member of the CD Foundation (CDF) and the Eclipse Foundation.
“Many, many new tools are being brought to market in the open source world,” she said. “We have tools coming out of the OpenSSF. We have tools coming out of the Continuous Delivery Foundation, and we have tools coming out of the [Cloud Native Computing Foundation] projects, I’ve only listed a few of my favorites here.”
SLSA (Supply-Chain Levels for Software Artifacts)
The OpenSSF released version 1.0 of SLSA, pronounced “salsa,” in April. SLSA offers a common vocabulary to discuss software supply chain security, assess upstream dependencies, provide a checklist to improve software security and measure compliance efforts in line with the forthcoming Secure Software Development Framework (SSDF) standards. Version 1.0 divides its requirements into multiple tracks that focus on specific areas of the software supply chain, such as build, source and dependencies. The first track is focused on builds.
“The SLSA levels are very important for really understanding how you can bring security into your build process,” she said.
Pyrsia is an open source software community initiative under the CDF and originally created at JFrog. It uses blockchain technology as part of a decentralized, secure build network and software package repository that provides developers with the provenance of the packages they are using.
Developers receive a digitally signed, immutable chain of evidence for their code, which is an essential building block for software bills of materials (SBOMs). JFrog along with others including Docker, DeployHub, Futurewei and Oracle launched Pyrsia in May 2022. Built in Rust, you can find Pyrsia on GitHub, which describes the project as being in early alpha stage, working to build a minimum viable product.
“If you want to do SLSA you can implement Pyrsia,” Ragan said. “Pyrsia really checks off a lot of the SLSA boxes. It’s what’s called a decentralized package network. What that means is you can basically think about keeping the various libraries out of your build by building it across a decentralized package or a decentralized network, where you’re doing builds in multiple locations and they’re checking against each other to make sure that they all have the same exact result.
“I know from working in the build space for a long time that some people say, ‘We can barely get one build to work,’” Ragan said. “Believe me, you can do this.”
Scorecard is a tool from OpenSSF to automate the analysis and trust decisions on the security of open source projects. It looks at a number of heuristics or “checks” associated with software security and assigns a score from zero to 10 for each one. You can use these scores to understand specific areas of your security posture that need attention. It also allows you to assess the risks that dependencies introduce, make informed decisions about accepting these risks, evaluate alternative solutions or work with maintainers to make improvements.
“Everybody should be able to get this done,” Ragan said. “This is all built into GitHub with Actions. It’s low-hanging fruit you can get started pretty quickly. So check out the scorecard.”
Introduced in February 2022, Alpha-Omega involves working with project maintainers to identify as-yet-undiscovered vulnerabilities in open source code and get them fixed. The “Alpha” part looks for areas of the open source ecosystem where funding could have a big impact. It works with maintainers on the “Omega” side to find corrections for vulnerabilities in the 10,000 most critical open source projects.There it offers automated security analysis, scoring and remediation guidance to users.
Last fall at Open Source Summit Europe, OpenSSF announced that Microsoft had developed and donated technology for the Omega Analysis Toolchain, which orchestrates over 27 different security analyzers to identify critical security vulnerabilities in open source packages. It also announced grants of $460,000 to the Rust Foundation, $300,000 to Node.js, and $400,000 for the Eclipse Foundation, all to improve security.
Ragan called Alpha Omega one of her favorite projects from its inception.
Ortelius is a project from the CDF to centralize supply chain and microservices management into one tool. Originally developed by DeployHub and OpenMake Software, it is an incubating project at CDF.
Ortelius tracks and versions development and security details for every component of your software supply chain. You can use Ortelius to track microservice version drift across clusters, aggregate SBOMs’ information, and manage the use of various reused components across teams and environments. Ragan is the project’s executive director.
“To be honest, in the future in terms of DevOps, we want to start doing things in a much more intelligent way,” she said. “We want to automate things; we want to make things happen in a magic way. Well, that’s AI.
“The problem with AI and DevOps is that we don’t have the data. If we think about GitHub and tools like Copilot, how those tools are trying to become real, is they have the data. They can go look at all of the open source git repositories and find code snippets and make a decision. … We don’t have that in DevOps, so Ortelius is that dream. It’s a centralized evidence store of both security and DevOps information from the SBOM all the way up to logical applications in a decoupled environment and pulling all that information together. So you have one place to grab that info and in the future, have places to define policies and build AI systems.”
Also from the CDF, CDEvents provides a vendor-neutral specification for defining the format of event data to provide interoperability across services, platforms and systems. Ragan called it “one of the most important projects in DevOps today.”
Lack of standardization has meant developers have had to constantly re-learn how to consume events, limiting the use of event data across the ecosystem.
“ If we think about how we’ve implemented our pipeline, we’re closed,” she told the Open Source Summit audience. “We have — literally, in this room — we have millions of workflows. Now, if you want to add the generation of SBOM to your workflows, you’re going to have to go visit a lot of workflows. CDEvents solves the interoperability problem … and potentially can automate the templating of your workflows.”
“Every single one of you can be a hero. Every single one of you have something to offer to solve this problem. … Showing up is half the battle,” she said, urging conference attendees to check out the various working groups.