Howard Solomon – 04/11/2022
Three major IT companies have proposed a way to create tamper-proof versions of apps that reduce the risk of supply chain hacks, like the one against SolarWinds’ chain.
Several of the recent high-profile software hacks that alarmed free computing users around the world were consequences of supply chain integrity vulnerabilities, Google said in a blog post Thursday.
For example, when the SolarWinds Orion security update process was compromised, hackers took control of a server to use malicious source files to inject malicious artifacts into a compromised platform.
So Google and its partners built a prototype framework to generate unforgeable provenance for apps. Initially, it only works for apps built in the Go language. It uses GitHub’s feeds for isolation and Sigstore’s digital signature tools for authenticity.
Read the full article on the websiteIT World Canada (in English), a sister publication of Informatic direction
Read also:
Log4j2 vulnerability in the Serv-U application
2022 targets: supply chains and States
SolarWinds: the Nobelium group still active, according to Mandiant
Adaptation and translation into French by Dominique Lemoine
Tags: supply chain, GitHub, Google, Free Computing, software, hacking, Sigstore, Solarwinds
.