Securing the Software Supply Chain, One Step at a Time

Written by: Brian Malina

Published: Friday, July 12, 2019

Ensuring the security of the software is of paramount importance to any company, and more so for the companies who develop and supply the software. With opportunities for an infection of malware at each step of the software supply chain, securing the chain has become a key concern in a world controlled by interacting software systems.

A collaborative project by researchers at New Jersey Institute of Technology (NJIT) and New York University (NYU) has developed a system that helps close security gaps and provides companies with certification that their software supply chain remains free of cyberattacks.

Reza Curtmola, a computer science professor at NJIT's Ying Wu College of Computing; Justin Cappos, a professor in the computer science and engineering department at NYU; Santiago Torres-Arias, the lead doctoral student on this project; and their partners will publish a paper describing their system later this summer at the 28th USENIX Security Symposium, a top system security conference.

The project was previously funded through the Defense Advanced Research Projects Agency and is currently funded by the National Science Foundation.

Curtmola said their work has focused on integration with open-source software to make it as accessible as possible. They call their software solution in-toto.

“Right now, the reality is the end users blindly assume that the software they use is safe, that the developers followed safe practices. But you don’t really know ... bad guys could attack at any point, add malware, remove security patches, etc.,” Curtmola said.

To provide peace of mind and certify security, in-toto creates a framework to give integrity to the entire software supply chain, adding security measures to address each individual step of the process, he said.

Curtmola said the typical scenario is that source code is written by a team of software developers. The code is then tested for bugs or defects. If it passes, it is built, packaged and put on a repository such as git or other open-source version control systems for people or companies to download and use.

Once it’s in use, companies add their own security and protections to ensure that malware cannot be added. That sounds good, but there is a chance that something malicious was hidden inside the code before it was released, so the end user would not know anything was wrong until it was too late.

That’s where in-toto comes in. In-toto is designed to ensure the integrity of a software product from inception to end-user installation by allowing the end user to verify that all operations on the product were done by the developer, and only by the developer. It does so by making it transparent to the end user what steps were performed, by whom and in what order. As a result, with some guidance from the group who developed the software, in-toto allows the end user to verify that no third party maliciously interfered with the software development and supply chain.

“As each step happens, a statement is generated to confirm that it has happened. With our framework, we collect these statements and make them available to the end users. They will get a warning if there’s an issue with their products,” Curtmola said.

In-toto is already available and integrated with many widely used software and operating systems including git, Debian and Datadog.

“Datadog is a monitor for cloud applications, providing data analytics for services in the cloud. They currently have more than 8,000 clients including Twitter, NASDAQ and the Washington Post,” Curtmola said.

Curtmola said having their paper on in-toto published at the USENIX Symposium is an honor and shows that in-toto is recognized by some of the best experts in the field. “It’s confirmation that it is good enough to be used in practice, no mean feat for a system developed in an academic environment.”

For more information on in-toto, visit its website here.

Learn More