How Python's New Security Developer Hopes To Help All Software Supply Chains (thenewstack.io) 23
Long-time Slashdot reader destinyland writes: The Linux Foundation recently funded a new "security developer in residence" position for Python. (It's funded through the Linux Foundation's own "Open Software Security foundation", which has a stated mission of partnering with open source project maintainers "to systematically find new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed to improve global software supply chain security.") The position went to the lead maintainer for the HTTP client library urllib3, the most downloaded package on the Python Package Index with over 10 billion downloads. But he hopes to create a ripple effect by demonstrating the impact of security investments in critical communities — ultimately instigating a wave of improvements to all software supply chains. (And he's also documenting everything for easy replication by other communities...)
So far he's improved the security of Python's release processes with signature audits and security-hardening automation. But he also learned that CVE numbers were being assigned to newly-discovered vulnerabilities by the National Cyber Security Division of the America's Department of Homeland Security — often without talking to anyone at the Python project. So by August he'd gotten the Python Software Foundation authorized as a CVE Numbering Authority, which should lead to more detailed advisories (including remediation information), now reviewed and approved by Python's security response teams.
"The Python Software wants to help other Open Source organizations, and will be sharing lessons learned," he writes in a blog post. And he now says he's already been communicating with the Curl program about his experiences to help them take the same step, and even authored a guide to the process for other open source projects.
So far he's improved the security of Python's release processes with signature audits and security-hardening automation. But he also learned that CVE numbers were being assigned to newly-discovered vulnerabilities by the National Cyber Security Division of the America's Department of Homeland Security — often without talking to anyone at the Python project. So by August he'd gotten the Python Software Foundation authorized as a CVE Numbering Authority, which should lead to more detailed advisories (including remediation information), now reviewed and approved by Python's security response teams.
"The Python Software wants to help other Open Source organizations, and will be sharing lessons learned," he writes in a blog post. And he now says he's already been communicating with the Curl program about his experiences to help them take the same step, and even authored a guide to the process for other open source projects.
WTF? Code security for supply chain security? (Score:1)
That does not work. Those are two different things. Apparently, the bullshit is strong with this initiative. That does not bode well.
Re: (Score:2)
The "software supply chain" is just a fanciful term for library dependencies (in his case the Python ecosystem), and making sure reporting and fixes actually make their way through the system in a more disciplined manner.
Re: (Score:2)
I am well aware this is about software. The problem is that even there "supply chain" refers to delivering the libraries, not to making them. A supply-chain attack on software refers to software getting compromised after it got written and before it arrives on the site it is used at. And hence code vulnerabilities and _software_ supply chain security are two entirely different things.
Incidentally, a library dependency has nothing to do with a (software) supply chain. It is just a dependency. Or are you tell
Re: (Score:2)
code vulnerabilities and _software_ supply chain security
But it's not talking about code vulnerabilities. It's talking about the processes for dealing with things like CVEs, and not the actual vulnerabilities themselves.
Incidentally, a library dependency has nothing to do with a (software) supply chain. It is just a dependency.
Maybe it didn't used to, but it does, and should, when it comes to open source development.
If you have a dependency on a library with some CVE and a fix, then you need to make sure that the dependency on that fix (or collection of fixes) gets reflected in all the versioning and packaging so that everything gets updated more smoothly across the
Re: (Score:3)
The problem is that even there "supply chain" refers to delivering the libraries, not to making them.
That's not what anyone else uses supply chain [wikipedia.org] to mean. It means the whole process of providing items that are used to provide the end product. In a software context [wikipedia.org], it definitely includes the process of writing the libraries that an application depends on, and thus the individuals who write those libraries. A software supply chain also includes the toolchains used while developing the application and its dependencies, and the dependencies of those libraries.
That is why the phrase includes the word "chai
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The term doesn't include everything. Where did you even get that idea?
Re: (Score:2)
Re: (Score:2)
Not at all. You just can't read. Or won't.
Re: (Score:2)
"...and making sure reporting and fixes actually make their way through the system in a more disciplined manner."
But not that, only that someone got picked to receive money.
Re: (Score:2)
the bullshit is in the article. nothing in the actual job descriptions implies it is to "fix vulnerabilities in code", that's probably just poor wording and the source for that claim just points to a headline and some generic corporate video talk i wouldn't bother with because ... well, the posting is clearly about curating the actual process of some specific python "supply chains":
The Security Developer-in-Residence will work full-time during the initiative to formalize existing security practices and become more proactive in Python-related security improvements. The new role will be responsible for addressing security issues across PSF projects such as CPython and PyPI, and applying knowledge and expertise and working with volunteers to implement key improvements in a timely manner. They will also establish new processes and features that make it easier to prevent, detect, and respond to security risks to lay a foundation that makes it easier and more sustainable for the community to identify and address security issues going forward.
Re: (Score:2)
Yep, all it says is that somebody will give someone some money and a title, where that someone will be "responsible" and "work with" people to "establish" things. Nothing, in other words.
I wish him sincere luck! (Score:2)
I wish him sincere luck but it's sometimes a joke how professionally working IT people take security into consideration so it might be ever harder with typical Python users who work in other fields of activity.
So far he's improved the security of Python's release processes with signature audits and security-hardening automation.
Signatures and audits "automation" have their limits. Also, even Microsoft had certs stolen and rogue code signed with them.
But he also learned that CVE numbers were being assigned to newly-discovered vulnerabilities by the National Cyber Security Division of the America's Department of Homeland Security — often without talking to anyone at the Python project.
Maybe the Python project should subscribe to CVE advisories alerts! /s
Re:I wish him sincere luck! (Score:5, Insightful)
Signatures and audits "automation" have their limits.
Yeah, no shit. He's not claiming that it's the be all end all. But it needs doing and he's making it happen. Nowhere is he claiming that it is enough.
Maybe the Python project should subscribe to CVE advisories alerts! /s
But that's too late. You don't CVE alerts until the CVE gets assigned, but he wants the Python project to be involved BEFORE the CVE is assigned. eg, when they are looking at a specific area of code for a bug. Surely you can't disagree that it would help everyone if security issues gets worked on by everyone involved as early as possible?
Re: (Score:2)
"Surely you can't disagree that it would help everyone if security issues gets worked on by everyone involved as early as possible?"
But this is about giving someone money and a title, all that could happen without money and a title, plus the money and title doesn't do that.
Re: I wish him sincere luck! (Score:2)
Whatâ(TM)s your suggestion? Or are you suggesting somebody volunteer their time but otherwise do it for free? Is there anybody out there with enough spare time to do it effectively? Will such a volunteer be taken seriously and be able establish relationships and processes with other entities?
Re: (Score:2)
Signatures and audits "automation" have their limits. Also, even Microsoft had certs stolen and rogue code signed with them.
"Even" Microsoft? They are literally the first people I would expect to get compromised. Their corporate culture is widely reported to be cannibalistic, and they run Windows.
They should have hired Alice (Score:1)
Sorry. Not Sorry. (Score:1)