Know your software: contributing to cybersecurity through traceability
A recent executive order from the President of the United States focused on responding to cybersecurity threats has a full section dedicated to «Enhancing Software Supply Chain Security». It announces forthcoming standards, procedures, or criteria regarding in particular means for:
(x) ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.
KYSW and SBOM are coming …
Indeed, today a large part of the software products integrates and reuses external components, most of them open source, and it is impossible to guarantee that a software system is secure without knowing the parts that compose it and where they come from. It is becoming clear that a new principle is coming: if you develop, integrate, acquire or run a software-based system, you need to «Know your software» (KYSW), just like banks have an obligation called «Know your customer» (KYC).
Ensuring complete traceability of all the software supply chain involves creating, sharing, validating and tracking all software components, in binary and source code form. This is not an easy task, and NTIA has been working hard to put together an information package on how this can be done through a Software Bill of Materials (SBOM).
… and Software Heritage can help!
Software Heritage can help in this necessary effort to improve the traceability of the software supply chain in several respects :
- it is building and maintaining a neutral, common, shared, open, non-profit, reference knowledge base encompassing all the software source that is publicly available
- it stores all the source code and its development history in a uniform, technology-neutral global Merkle graph, that provides, together with the growing mirror network, a transparent source of trust
- it provides uniform, technology-independent, and cryptographically strong intrinsic identifiers to track source code artifacts at all levels (file, directory, revision, release, snapshot) through cryptographically strong SWHID identifiers which are supported in SPDX 2.2 and mentioned in the NTIA documentation.
You can take advantage of these features right now:
- learn more about the SWHID identifiers and use them for designating source code artifacts for traceability
- ensure that the open source components relevant for you are properly archived:
- for projects that are maintained using git, subversion or mercurial on a public code hosting platform, you can simply trigger archival using the Save Code Now functionality, and then get the corresponding SWHID (these guidelines, originally designed for research software, cover the key steps)
- for industrial use, contact us and join the Software Heritage Deposit Interest Group
We are also delighted to welcome contributors willing to build the «listers» and «loaders» needed to fully automatize the archival of a broader spectrum of code hosting platforms, packages and version control system, thanks to a grant from the Sloan Foundation.