2021-11-09 –, Room 3
Package Managers are an increasingly popular target of attack.
Their near-ubiquity in many software ecosystems places developers and end-users at risk while their critical supply chain role makes code execution a frequent consequence of compromise.
However with this centralized risk, there is centralized opportunity: Even modest process and policy changes stand to markedly improve each package manager's respective ecosystem.
The limited resources available to maintainers should be spent where they can deliver the greatest security benefit.
To this end, we present high-value interventions that apply standardized tools and frameworks like Supply-chain Levels for Software Artifacts (SLSA) to the generalized package management domain.
It's an old refrain that the security ideal is for your code to run nowhere and do nothing.
Therein lies the original sin of software packaging: It helps software run anywhere and do anything.
What's worse, most of it is other people's software.
Fundamentally, package managers facilitate reuse with the aim of making developers more productive.
Common abstractions or tools need only be written and packaged a handful of times to serve an entire ecosystem.
This incentive structure often leads package managers to prioritize flexibility, stability, and ease-of-use over security and authenticity.
But even if these priorities could be inverted, code reuse is simply too valuable and too widespread to give up. If anything, we can expect a relentless increase in the depth and breadth of package dependency graphs.
From this somewhat gloomy premise, how do we manage this growing complexity?
We posit that the only scalable, generalized option to address these supply chain security concerns is automated dependency graph analysis.
Graph analysis can utilize metadata like author identity, source origin, and packaging procedure to track packages' security posture, vulnerability status, etc. in an ecosystem-agnostic fashion.
But for this sort of analysis to provide any security value, we need to have trustworthy metadata in standard data formats.
Supply-chain Levels for Software Artifacts (SLSA) provides a suitable framework for both standardized data formats and tracking progressive compliance.
And instead of rooting trust in elaborate public key infrastructure, we propose bootstrapping it off of existing, durable developer identities.
Finally, ecosystem change is never easy, perhaps least of all when it involves new security controls.
As such, these building blocks are purposely easy to deploy, adaptable to various ecosystems, and provide sufficient incentive to make implementation worthwhile.
Matthew works on Supply Chain Security at Google.