Supply Chain Integrity: The Role of Verified Reproducible BuildsDavid Wheeler Describes a Way to Ensure Code Is Reliable
The SolarWinds supply chain compromise has raised questions about how organizations can detect software that has been tainted during the vendor’s development and build process.
See Also: The State of the Software Supply Chain
“It doesn’t matter how good or how secure your source code is because what your customers are actually installing could be malicious, which is exactly what happened in the SolarWinds case,” says David A. Wheeler, director of open-source supply chain security at the Linux Foundation.
The idea of a verified reproducible build is gaining traction. In such a build, the code can be verified as containing only code that came from the original source code.
“That means your build is designed so it will produce the same bits every time given the same source code,” says Wheeler, who recently wrote a blog post on the subject for the Linux Foundation.
Wheeler says that most software now is not designed to be reproducible, but the Linux Foundation has funded some projects for reproducible builds. A new Linux Foundation project, the Open Source Security Foundation, is discussing whether to take on reproducible builds as a project.
Rejiggering software development systems to generate reproducible builds will take money and time, Wheeler acknowledges. But the changes that need to be made to a build environment only have to be undertaken once, he notes.
In this video interview with Information Security Media Group, Wheeler discusses:
- How verified reproducible builds work;
- The security benefits of reproducible builds;
- The efforts underway to move to the model.
Wheeler is also an adjunct professor of computer science at George Mason University. His expertise encompasses software supply chain risk management, enterprise architecture, validation and software development.