Owner security

Scribe Security launches tools for integrity validation – The New Stack

From hacked updates to compromised open source code, software supply chain attacks don’t seem to be slowing down. In 2021, 62% of organizations faced attacks. Securing the supply chain can be challenging due to its many components and numerous opportunities for exploitation by cybercriminals. Scribe Security, a cybersecurity company specializing in the software supply chain, aims to make security an easy standard to meet.

Scribe launches a code integrity validator (Scribe Integrity) that verifies and authenticates proprietary and open source code. For developers, this will provide more transparency to ensure that the code does not contain any malicious components. In an interview with The New Stack, Scribe Security, CTO and Founder Danny Nebenzahl said, “It’s not something in DevSec’s current toolkit. Unfortunately, in many areas, safety does not come first.

Associated with the release of Scribe Integrity, an open source Github security project from the company. GitGat is a free policy-as-code tool whose functionality allows users to run reports that provide a holistic view of an organization’s security posture using the Open Policy Agent (OPA) policy manager. . Both products are in their early stages, but with the state of open source software security, CEO and co-founder Rubi Arbel says the market has long been waiting for these tools. “Better security is crucial for the survival of open source technology. If people don’t trust open source, they won’t use it.

The quest for software integrity

According to Nebenzahl, Scribe’s approach to protecting against open source and supply chain attacks focuses on artifacts. Regarding code with endless suspicion, Nebenzahl says, “When an artifact is created, we tell it it’s guilty unless it can prove otherwise. At this point, metaphorically, the artifact should collect evidence that will prove its innocence. Along this pipeline, policies can be evaluated.

What qualifies as evidence? Nebenzahl says it varies. “Integrity of materials and processes or final artifacts, proof that nothing has been changed. It could also be things that have to do with processes, like did the right people sign what they needed? It could have to do with factory security – are the doors locked? This evidence-gathering ability is part of what Scribe calls their bottom-up concept. On the other side is “top-down description”, where employees in higher positions can use data insights for compliance and other matters.

“This information is what connects the bottom-up and top-down approach. The DevSecOps guy is worried if the code has changed. The Cisco guy is more concerned with “Did we respect the SDF?” Which requires integrity and preservation along the pipeline,” Nebenzahl said. Arbel weighed in to agree. “The main purpose of the tool is to give users an idea of ​​what integrity should look like along the pipeline.” He continued, “Suppose you have a Node. What would pipeline integrity checking look like if you only had two points, the beginning and the end, including open source component checking? »

The road to liberation has not been easy, says Arbel. Software integrity is inherently a difficult problem, but creating the technology behind Scribe Integrity has been fraught with hurdles. The evidence collectors, or sensors as Arbel calls them, were a complex enigma to solve. “We had to develop sensors whose main task is to collect evidence that is not collected by anyone today. It’s not just application logs from GitHub or Jenkins, it’s a new type of data. We need to generate the data, collect it, and then transfer it to a secure place where we can run our rules engines on it. And this is the second challenge.

Deciding what’s suspicious and what’s not isn’t always as straightforward as one might think for a machine. Arbel continued, “Let’s say the data is metadata in the hash of a cryptographically hard signature. So now you have it, but now you have to decide what a normal process is. What is an anomaly, and when integrity changes, you need to understand whether some specific change is legitimate or not.

Now that Scribe Integrity is ready for public use, Arbel is confident in the uniqueness of the technology. “There is no good technology for software integrity today that we know of, especially one that can do this automatically to pipelines.”

Securing open source projects

The open source bug spread quite quickly. While that’s been an astronomical help in advancing the technology, Nebenzahl says security tends to be an afterthought.

“The open source movement, which started with a more volunteer ecosystem, is now more business-oriented with business-related activities inside. What drove him in the beginning was community development, and now we see business and technology development,” he said.

While he acknowledges that’s not a bad thing, Nebenzahl says users should be aware of the lack of security. “Anyone building an open source project has not currently committed to any security requirements,” he noted. “He doesn’t build a product, he doesn’t render a service. He just writes code. Safety and regulatory requirements become moot when you start using this technology. However, when it comes to real scenarios and real products, or real responsible companies, people scratch their heads and say, “Hey, what about the security of these parts?”

Weak security oversight has been the cause of millions of dollars in hacker thefts and the nail in the coffin of otherwise strong companies. The developer community continues to grow and change the way code is shared, and it’s more important than ever to remain vigilant about software supply chain security. As the open source community grows and attacks continue, prepare to see tools like Scribe Security at the forefront of the fight.