Google Releases Tool to Help Developers Enforce Security

As attackers increasingly target open-source components as a way to compromise the software supply chain, companies are stepping up to offer free tools and services to developers who maintain software projects.

Google this week announced its latest aid for developers, a tool that automates security tasks and checks project attributes to ensure that the security of an open-source project has not changed. Dubbed AllStars, the tool uses the GitHub API to check the current state of the project, development branch settings, and other attributes to ensure that critical aspects of the project have not changed. 

Along with another Google tool called Scorecard, AllStars assures project maintainers that their security settings remain correct, says Jeff Mendoza, engineering lead on Allstar for Google. Scorecard measures projects on 18 different criteria, such as whether they are actively maintained, whether they automatically update dependencies, or whether they use a fuzzing system to discover easy-to-find vulnerabilities.

"Scorecard attempts to shine a light on adoption, and encourages a high score," he says. "Allstar helps when your project or organization spans many repositories, and it's too cumbersome to ensure all the right settings and practices are set up on every repository."

OSSF

Google released the tool this week under the auspices of the Open Software Security Foundation (OpenSSF), which will maintain an AllStar instance that anyone can install and use, according to the OpenSSF announcement. The software is also available for others to create as an instance as well.

The software continuously checks a GitHub repository against its expected state to find any changes that could impact security. The settings of the repository, development branches, and workflow are checked against the project's security policies, and when the settings and policy do not match, the software can undertake enforcement actions. By automatically and continuously monitoring the project's security settings, the software can detect changes that might otherwise go unnoticed, OpenSSF stated in their announcement.

The tool gives developers a way of defending their projects against persistent attackers, says Mendoza.

"With the huge popularity of open source, attackers see a compromised project as a way to infiltrate both closed and open systems," he says. "Since open source is rarely a live running system, attacks are on the supply-chain side: either compromising the code base, or injecting a compromise somewhere between the code and where the project is built and used on other systems."

Paired with Scorecard, the new AllStars tools give developers a way to monitor and secure  their software project. Developers can run Scorecard on their project to see where they stand, and then create policies that can be automatically checked and monitored by AllStars. Scorecard, for example, checks for binary files included in a project, which are not human-readable and thus, represent risk. AllStars can then monitor the project continuously, looking for any changes that add binary files to the project.

The goal is to "run Scorecards on your repositories and dependencies [and] see where your project stands, and set a high bar," Mendoza says. "If you have a large organization or many repositories, look to Allstar to help keep your settings in place."

Developers that aim to adopt the tools should first use automated testing of dependency updates through tools such as Dependabot to find software components with poor security that are incorporated into the developers' projects. 

Will the release of simple tools to track the security state of open-source software be enough? Improving the security of such components is not difficult; it just requires the right tools and developers to use them, says Mendoza.

"The supply chain attacks we have seen have been analyzed, and many could have been prevented by following existing best practices," he says. "The solutions to these issues are neither unknown, nor difficult. The problem we see is adoption, not all projects are using the tools and procedures to achieve the highest security."