May 21, 2021

Know your software: contributing to cybersecurity through traceability

A recent executive order from the President of the United States focused on responding to cybersecurity threats has a full section dedicated to “Enhancing Software Supply Chain Security”. It announces forthcoming standards, procedures, or criteria regarding in particular means for:

 (x)  ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.

KYSW and SBOM are coming …

Indeed, today a large part of the software products integrates and reuses external components, most of them open source, and it is impossible to guarantee that a software system is secure without knowing the parts that compose it and where they come from. It is becoming clear that a new principle is coming: if you develop, integrate, acquire or run a software-based system, you need to “Know your software” (KYSW), just like banks have an obligation called “Know your customer” (KYC).
Ensuring complete traceability of all the software supply chain involves creating, sharing, validating and tracking all software components, in binary and source code form. This is not an easy task, and NTIA has been working hard to put together an information package on how this can be done through a Software Bill of Materials (SBOM).

… and Software Heritage can help!

Software Heritage can help in this necessary effort to improve the traceability of the software supply chain in several respects :

  • it is building and maintaining a neutral, common, shared, open, non-profitreference knowledge base encompassing all the software source that is publicly available
  • it stores all the source code and its development history in a uniform, technology-neutral global Merkle graph, that provides, together with the growing mirror network, a transparent source of trust
You can take advantage of these features right now:

We are also delighted to welcome contributors willing to build the “listers” and “loaders” needed to fully automatize the archival of a broader spectrum of code hosting platforms, packages and version control system, thanks to a grant from the Sloan Foundation.

May 21, 2021