Towards Easier, More Secure Signature Technology for the Java Ecosystem with Sigstore
Follow
Click to Follow infernosec
Abhishek Arya
@infernosec
Principal Engineer and Manager, Google Open Source Security Team (GOSST)
California, USAJoined May 2009
Abhishek Arya’s Tweets
Nice to see more community partners step up and fund critical open source security audits. This is critical for OSS sustainability and security!
Quote Tweet
AWS Teams with OSTIF on Open Source Security Audits
AWS will be directly funding $500,000 to @OSTIFofficial as a portion of our ongoing initiative with @theopenssf
aws.amazon.com/blogs/opensour
2
9
We just announced the GA of the SLSA 3 Container Generator GitHub workflow. You can now generate provenance for containers by just adding a reusable workflow call to your GitHub Actions workflows! 🙌
10
23
Need a solution for verifying integrity of your container images, here is a #SLSA solution for you - slsa.dev/blog/2023/02/s . Also, start getting ready to board the #SLSA 1.0 Spec train (join the SLSA community meeting for updates!).
6
21
Nick, kernel security expert in GOSST shares his thoughts on the harms of forking and the hidden costs behind it. Check it out - nickdesaulniers.github.io/blog/2023/02/0
4
14
Secure by Default + Secure by Design —>
- Secure products not just security products
- Security built in not bolted on
- Raise everyone’s baseline by reducing the [total] cost of control
1
10
26
6
11
6 yrs since OSS-Fuzz started, reached 850 projects, fixed 8,800 vulns & 28,000 stability bugs & next we are bumping up OSS-Fuzz rewards: more reward categories for improving coverage and horizontal leet rewards for impacting hundreds of projects -
1
56
270
There are so many hidden figures in open source. These are the people whose names you wouldn't recognize, but they write the docs, triage bugs, answer questions, and all the other stuff that doesn't show up on the stat sheet. Open source is a team sport.
5
130
654
3) Continuously track the location of every part - Have SBOMs - Thought: We need accurate, trustworthy SBOMs using SLSA attestations, otherwise we run into a situation like ignition switch example in article where we did have parts and version info, except that it was just wrong.
1
1
Show this thread
2) Use only the highest quality parts - Thought: Should have better ways to tell which version is both secure & stable. Why do we keep allowing super insecure versions of package version downloads, maybe at some point, breaking compatibility might be the right call.
1
3
Show this thread
Liked the analogies- 1) Source parts from fewer & better suppliers- Thought: scorecards helps evaluate security risk. Might be useful to add checks that tell dependency tree complexity & make better recommendations. Curated, secure OSS is great for critical apps.
1
2
Show this thread
Insightful 3-part series () on evolution of oss supply chain attacks. Great facts (25% of maven pkgs still using vuln log4j, consumer choose vuln ver 95% of time, etc), liked the analogies to auto-industry supply chain controls & evolution phases-
1
7
18
Show this thread
"but it is a blow to a dangerous group that has endangered lives by attacking the health care system,” , the head of Threat Intelligence at "
1
8
SBST'23 and FuzzBench benchmarking platform are gearing up to test the next fuzzing innovation. Have received 11 entries from the research community - github.com/google/fuzzben+ , and the competition will be out in the open! Check out sbft23.github.io/tools/fuzzing for details!
9
19
Nice research using FuzzBench platform-"While the community agrees on AFL’s effectiveness at discovering new vulns..., many of its internal design choices remain untested....careful analysis of the different parameters could help modern fuzzers to improve their perf"
Quote Tweet
The full paper is now published at ACM TOSEM
dl.acm.org/doi/10.1145/35
Artifacts at github.com/eurecom-s3/dis
This is one of the first papers in the community that passed through a process of preregistration, more info at fuzzbench.com/blog/2021/04/2
3
10
A truly humble leader & driving force behind Rust adoption in Android & several parts of Google ecosystem. He also supported several efforts around writing critical OSS projects in Rust & recently participated in OMB/NIST/NSF workshop on OSS Security. Well deserved!
Quote Tweet
We are excited to share that experienced open source leader and #rustlang advocate, @larsberg_, has been elected as the new Rust Foundation Board of Directors Chair.
Learn more about this news and Lars' background via our blog.
foundation.rust-lang.org/news/lars-berg
![[Heading]: Announcing Lars Bergstrom as the New Rust Foundation Board of Directors Chair [Sub-Heading 1 underneath headshot of Lars]: Lars Bergstrom, [Sub-heading 2]: (Rust Foundation Board of Directors Chair, Founding Board Member Director, Director of Engineering at Google).](https://pbs.twimg.com/media/FmyLy3zXoBQLKmT?format=jpg&name=large)
read image description
ALT
1
9
We are excited to share that experienced open source leader and #rustlang advocate, , has been elected as the new Rust Foundation Board of Directors Chair.
Learn more about this news and Lars' background via our blog.
foundation.rust-lang.org/news/lars-berg
read image description
ALT
6
19
79
My heart goes out to all my Google colleagues impacted by the layoffs. Please don't hesitate to reach out via DM/LinkedIn to help you find your next opportunity or just be a listening ear. It has been a tough 48 hours for all of us, including the ones not directly impacted.
1
44
Last day to submit an entry for SBFT, we have several submissions so far. Other than the $11,337 leetness, you will help to improve OSS-Fuzz community fuzzing service find more bugs for 850 critical projects and growing!
Quote Tweet
Calling all fuzzing engine developers: Join the SBFT competition for a chance at at least 11K. Deadline for expressing interest is Friday sbft23.github.io/tools/fuzzing
1
2
Really happy to see this come through, yet another commitment from our side to improve critical open source project security. What else should we get audited, share your ideas with and us!
Quote Tweet
The git audit with @X41Sec and @gitlab is complete!
There's some juicy fixes in this report, including multiple RCEs.
ostif.org/the-audit-of-g
1
3
4️⃣ days left to register your fuzzer for the SBFT #Fuzzing Competition: sbft23.github.io/tools/fuzzing
6
19
Thanks for featuring Scorecard project on ReadME blog-"In Scorecard we trust" by (Endor) & Brian Russell(GOSST)."If you’re looking to start improving your software supply chain security, adopting Scorecard is a great first step"
9
24
The adoption of across ecosystems is unreal. Here's just a snapshot of what's going on:
** Languages **
Go: In for a year
Python: 1.0 shipped by
Ruby: In progress
Java: Maven & Gradle support soon
Node: RFC merged
Rust: Pre-RFC out
5
17
57
Show this thread
Quote Tweet
The Python client for @projectsigstore just released a 1.0 earlier today after a year of development! 
blog.sigstore.dev/announcing-the
blog.sigstore.dev/announcing-theShow this thread
3
7
Thank you Trail of Bits, and glad we could play a small role in this collaboration! First stable version of sigstore client for the python ecosystem is now available, check it out!
Quote Tweet
We are thrilled to announce the first stable release of sigstore-python, a client implementation of Sigstore that we’ve been developing for nearly a year! blog.trailofbits.com/2023/01/13/sig
Show this thread
3
12
It's exciting to see announcing support for the use of ! It's been a long journey, and I look forward to watching them evaluate, adopt, & hopefully even contribute to some of the amazing libraries available in the #rustlang ecosystem
11
200
813
#OSV-Scanner continues to serve OSS community's vuln scanning needs. v1.1.0 release is out, 4.1K stars & 18 new community contributors in a month since launch! Thank you contributors for adding new features (e.g. NuGet, Gradle support), bug & doc fixes -
10
26
Super excited to see Naveen and Brian raise community awareness on open source security tools in key developer conferences like SCALE, FOSDEM, etc!
Quote Tweet
3
Was great to join and on the podcast for their 150th episode! 🎉
Lots of discussion here about sustainability around and as well as , , open source security and more.
Quote Tweet
Dustin Ingram (@di_codes) talks about the Open Source Security Team at Google, what they do, a rewards program called SOS Rewards (sos.dev), and Google’s role in the Sigstore project (sigstore.dev).
Listen at 
podcast.sustainoss.org/150
podcast.sustainoss.org/15012
24
Dustin Ingram () talks about the Open Source Security Team at Google, what they do, a rewards program called SOS Rewards (sos.dev), and Google’s role in the Sigstore project (sigstore.dev).
Listen at 🎙️
5
6
Bring back memories of Travis CI incident in 2021. Discourage use of secrets in your CI/CD systems and rely on workload based identities / OIDC.
1
4
7
Top performing entries will be eligible to considered for a new OSS-Fuzz FuzzBench reward (up to $11,337 depending on impact).
3
5
Show this thread
We welcome your participation in evaluating next-gen fuzzing research at scale against industry's leading fuzzing engines (afl++, libfuzzer, etc). Help spread the word and showcase your work to the fuzzing community at large!
Quote Tweet
The OSS-Fuzz and FuzzBench team is helping to run the SBFT'23 fuzzing competition this year!
sbft23.github.io/tools/fuzzing
Please submit an entry if you're interested in participating! Entries for expressing interest close on Jan 13.
Show this thread
5
14
New article: "urllib3 in 2022"
👉 sethmlarson.dev/urllib3-in-2022
2022 was a great year for #urllib3, and it's time to celebrate! 🎉 We received over $26,000 in financial support, shipped the first pre-release of v2.0, and improved our security posture with #OpenSSF tools and #SLSA.
1
5
16
Show this thread
in 2022, the team removed >12,000 unique projects. each were instances of spam, typosquatting, dependency confusion, exfiltration and/or malware.
2022: ~12K (mostly malware)
2021: ~27K (mostly dep confusion)
2020: ~500
2019: 65
2018: 137
2017: 38
5
51
152
Show this thread
Quote Tweet
There should be more of this: sethmlarson.dev/urllib3-in-2022 I hear a lot of high profile folks lamenting about not enough help being given to OSS projects. I then check out their github profile and they are not sponsoring anyone. Walk the walk people, not just talk the talk.
9
The PyTorch team is taking all the right measures here, but this is another reminder of the importance of the work on sigstore and other tools that and the rest of the PyPI security team are leading work on.
4
11