Pyrsia open source initiative fuels confidence in software supply chain

Open source is everywhere, a critical part of almost every technology in use today.

This also makes it one of the biggest threat vectors. Cyber ​​attackers are increasingly looking for vulnerabilities in the software supply chain, such as critical vulnerabilities, misconfigured services, or leaked secrets.

“The myriad of tools and processes, not to mention the vast amounts of open source libraries and binaries, all present opportunities for accidental and nefarious injection of risk,” said Stephen Chin, VP of Developer Relations at the software supply chain security firm. JFrog.

The open-source software initiative Pyrsia was launched in Be able to 2022 to address this ubiquitous problem. It uses blockchain technology to secure software packages against vulnerabilities and malicious code.

To advance its mission and promote wider adoption, Pyrsia is now an incubation project under the Continuous delivery Foundation (CD). JFrog, which launched Pyrsia with other industry leaders, made the announcement today KubeCon.

“Pyrsia aims to provide a tool to establish and verify trust in the software delivery world,” said Chin, who is also a board member of the CDF.

He added that “we believe that open source security will only be successful if we provide the community with the same tools and services that are available to enterprises.”

Open source: useful, but easy to abuse

Recent research by Synopsys shows that open source libraries and components make up more than 75% of the code in the average software application. In addition, the average software application relies on more than 500 components.

As Chin noted, these open-source dependencies are useful, but they also present new vulnerabilities that threat actors can exploit.

Cybercrime is costing the global economy $6 trillion in 2021 — and this figure is expected to rise to $10.5 trillion by 2025. Gartner research reveals that 89% of companies have experienced a supplier risk event in the past five years, and a survey by Argon Security indicates that attacks on the software supply chain grew by more than 300% between 2020 and 2021.

“Open source is everywhere,” Chin says, “and while it has always been seen as a seed for innovation and modernization, the recent rise of attacks on the software supply chain has left every organization vulnerable.”

He identified three security threats to the software supply chain: unintended vulnerabilities, intentional vulnerabilities and malicious software packages. And, unlike vulnerabilities that require exploitation, malicious software packages contain malicious code that, when executed, performs unwanted actions and activities.

Verify trust

Chin described Pyrsia as an open source, decentralized, secure network and software package repository that provides developers with a digitally signed, immutable chain of proof for their code.

Using certified and peer-verified builds, it aims to build trust for open source packages used as dependencies in software development. It provides a decentralized packet network that understands packet coordinates, semantics and discoverability.

Pyrsia integrates with existing package management systems so developers can certify their software components without compromising compatibility, security or efficiency, Chin said. It also continues to work even if there are local outages.

“We learned recently as an industry that no one is safe from cybercrime, especially when malicious actors inject malicious packages into central repositories, causing damage to downstream systems and applications,” said Fatih Degirmenci, executive director of the CDF. Pyrsia “puts power back in the hands of developers and ultimately accelerates innovation.”

Blockchain: an immutable ledger

Confirming dependencies requires a reliable and verifiable log that is written once, read many times, and contains entries that are immutable, Chin explained. Trust also requires a database that is tamper-resistant and guarantees the discovery and resolution of malicious additions.

And blockchain technology has proven to be one of those immutable databases, as Chin explained, adding that blockchain implementation requires a consensus mechanism based on Byzantine fault tolerance (BFT) — the ability of a system to continue operating even if some nodes failure or acting maliciously.

This ensures that there is security against a takeover of the network, according to Chin, with consensus for each block of data captured. BFT algorithms can withstand attacks spanning the network and can tolerate up to a third of network failures.

Blockchain provides a scalable provenance log and is best suited for large amounts of chained data spread across wide networks (as evidenced by its success in the cryptocurrency world).

The technology can improve the state of the software supply chain by providing transparency into how open source software is built on the network, as Chin explained.

“This transparency is intended to give developers the confidence to use the open source library in their production environments,” he said.

JFrog and other open-source technology leaders — Docker, DeployHub, Futurewei, and Oracle — teamed up earlier this year to officially launch Pyrsia. Since then, they’ve helped create opportunities for cross-project collaboration within the CDF to link secure packages with community tools, Chin explains.

By working together now, JFrog and the CDF will ensure Pyrsia increases its support and engagement through the use of a centralized governance model, a defined roadmap and broad representation within the wider technology and open source communities, explains Chin.

“We are grateful for the support of our industry partners and the community for helping to secure open source so that it can continue to be a true source of innovation,” he said.