ravirockks, 6 months ago Latest piece of guidance from the NSA and friends on securing the software supply chain has dropped. This edition is on OSS and SBOMs. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3613105/nsa-and-esf-partners-release-recommended-practices-for-managing-open-source-sof/
Latest piece of guidance from the NSA and friends on securing the software supply chain has dropped.
This edition is on OSS and SBOMs. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3613105/nsa-and-esf-partners-release-recommended-practices-for-managing-open-source-sof/
kkarhan, 6 months ago @ravirockks I'd be #sus amidst #NSA recommendations, as they've pushed so much #bs and #Govware in the past that they can't be considered a "reliable authority" in that regard... #PRISM #Speck #DUAL_EC_DRBG
@ravirockks I'd be #sus amidst #NSA recommendations, as they've pushed so much #bs and #Govware in the past that they can't be considered a "reliable authority" in that regard...
#PRISM #Speck #DUAL_EC_DRBG
ravirockks, 6 months ago @kkarhan Let's assume the NSA and friends are Satan incarnate. What do you make of the actual recommendations in the guidance?
@kkarhan Let's assume the NSA and friends are Satan incarnate.
What do you make of the actual recommendations in the guidance?
kkarhan, 6 months ago @ravirockks I've had not read them yet but I'd say that one should always archive dependencies and aim to only have reproducible builds. Something that I work on OS/1337. Now granted @os1337 is NOT built with security in mind at all, but that's due to it's specific goals. But archiving releases and mirroring repos is an important way to keep things secure. And in high-security envoirments #airgapping and #CodeAudits should be mandatory to the point that only #FLOSS and no #CCSS are legal.
@ravirockks I've had not read them yet but I'd say that one should always archive dependencies and aim to only have reproducible builds.
Something that I work on OS/1337.
Now granted @os1337 is NOT built with security in mind at all, but that's due to it's specific goals.
But archiving releases and mirroring repos is an important way to keep things secure.
And in high-security envoirments #airgapping and #CodeAudits should be mandatory to the point that only #FLOSS and no #CCSS are legal.
ravirockks, 6 months ago @kkarhan Could you clarify why said archiving and mirroring and having reproducible builds is important? Asking as I don't come from a technical background.
@kkarhan Could you clarify why said archiving and mirroring and having reproducible builds is important?
Asking as I don't come from a technical background.
kkarhan, 6 months ago @ravirockks Because code releases for #FLOSS are pointless if one can't verify the released code is actually what is being released as #binary. Something #TrueCrypt was rightfully criticized for back in it's days. In #ITsec, noone trusts anyone and thus being able to let everyone see and reproduce code as well as #audit it is vital to security. Same with #documentation on how to build something from source: It's vital to be able to do so for longterm-maintainability.
@ravirockks Because code releases for #FLOSS are pointless if one can't verify the released code is actually what is being released as #binary.
Something #TrueCrypt was rightfully criticized for back in it's days.
In #ITsec, noone trusts anyone and thus being able to let everyone see and reproduce code as well as #audit it is vital to security.
Same with #documentation on how to build something from source: It's vital to be able to do so for longterm-maintainability.
kkarhan, 6 months ago @ravirockks Side note: You threaten me and a lot of followers with a good time... https://infosec.exchange/@ravirockks/111565412133956679
@ravirockks Side note: You threaten me and a lot of followers with a good time...
https://infosec.exchange/@ravirockks/111565412133956679
kkarhan, 6 months ago @ravirockks Needless to say that only #transparency with #ReproduceableBuilds can enshure the #SourceCode is related to the #binary released. And being able to audit oneself or choose any auditor of choice to do so is also critical to the whole #ITsec aspect of it. You don't want people to be able to "pull rank" but instead you want critical code to be looked at with as many eyes as possible.
@ravirockks Needless to say that only #transparency with #ReproduceableBuilds can enshure the #SourceCode is related to the #binary released.
And being able to audit oneself or choose any auditor of choice to do so is also critical to the whole #ITsec aspect of it.
You don't want people to be able to "pull rank" but instead you want critical code to be looked at with as many eyes as possible.
Add comment