The Software Supply Chain Security Future
And How Capability Based Security Could Be The Solution
The current problem with the software supply chain is that anyone can create open source software, and it’s expected of you to trust it implicitly or coduct a code review before importing that source code.
This is impossible to do because:
It’s expected to prefer open source to solve problems in the industry and not to reinvent the wheel (build on the shoulders of giants… or any high school kid building an open source portfolio).
You will have to import 10s to 100s of dependencies to create any basic web app (for example https://github.com/facebook/create-react-app/blob/main/package-lock.json).
Each of these dependencies will likely be updated in the future.
Given those issues, you actually can’t code a web app and review all the code that goes into it, you can’t also say anyone reviewed the app, and given the nested dependencies that will be added to the project you are more than likely will be importing project with little support and questionable quality.
Currently what I see being done in the companies I work for to avoid supply chain security issues is use auto updaters like dependabot and scanners like Snyk to detect issues like reported CVEs and alert you with PR bumping the version of the dependency to avoid the issue. Snyk and it’s friends will also deploy a series of hueristics to alert you to any questionable packges in the project.
The problem with this is that it’s mostly reactive, and it’s doesn’t solve issues that appear in the pre/post install script inside those packages with could expose your developer machines/CI system.
In my opinion, the future solution will be implementing a capability based security model in the programming language itself, there is no reason any piece of code I import from the internet has the same permissions in my system as the code I write myself, in a more perfect universe I can give it sepecific capabilities like read specfic file and write to a specific file but never access my environment variables or the network.
This blog post goes into more details on how a system like could’ve prevent the log4j CVE back in 21.