International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 11 Issue: 06 | Jun 2024
www.irjet.net
p-ISSN: 2395-0072
Securing the Software Supply Chain: Best Practices for Open-Source Library Ingestion Suryaprakash Nalluri1, Karanpreet Kaur2 ---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - The adoption of open-source libraries in
Unix in the 1970s. Unix's open design and collaborative development model laid the groundwork for the ethos of sharing and collaboration that underpins modern opensource development. In the 1990s, the emergence of programming languages such as Java further promoted the adoption of open-source practices by providing platforms and frameworks that encouraged code reuse and community contributions. Additionally, the proliferation of the internet facilitated global collaboration and accelerated the growth of open-source communities.
software development has revolutionized the industry, offering significant benefits such as reusability, reduced costs, and accelerated development cycles. However, this practice also introduces a variety of security risks and challenges, particularly concerning the software supply chain. This paper explores the benefits and risks associated with open-source library ingestion, examines various ingestion patterns, and discusses specific attacks targeting this process. It also highlights the motives behind these attacks and their potential impact on organizations. Additionally, the paper outlines best practices to combat supply chain issues, ensuring the security and integrity of the software development pipeline.
2.2 Rise of Agile and DevOps The adoption of Agile methodologies and DevOps practices in software development has further accelerated the uptake of open-source libraries. Agile's emphasis on rapid iteration and customer feedback, combined with DevOps' focus on automation and collaboration, align seamlessly with the principles of open-source development, fostering a culture of continuous improvement and innovation.
Key Words: Security, vulnerability, Software Supply chain, risk, Open-Source library ingestion, DevSecOps
1.INTRODUCTION In recent years, the proliferation of open-source libraries has revolutionized software development, offering developers a treasure trove of pre-built components and frameworks to expedite the creation of innovative applications. This paradigm shift towards open-source adoption not only fosters rapid application development but also promotes reusability, reduced risk, and collaboration within the developer community. However, amidst the convenience and flexibility offered by opensource libraries lies a complex landscape of supply chain risks that demand careful consideration. This article delves into the critical domain of open-source library ingestion, exploring the process of integrating third-party libraries into software projects and the associated supply chain risks.
2.3 Proliferation of Collaboration Platforms The advent of collaboration platforms such as GitHub, SourceForge, GitLab, and Bitbucket has democratized access to open-source code, providing developers with robust tools for version control, issue tracking, and collaborative development. These platforms serve as hubs for sharing, discovering, and contributing to open-source projects, fueling the growth of vibrant developer communities, and fostering innovation across diverse domains.
2.4 Prominence of Open-Source Libraries Open-source libraries have become indispensable tools for developers, offering a wide range of functionalities and reducing time-to-market for software projects. Numerous libraries are available on GitHub, including but not limited to Eureka, Hystrix, and Chaos Monkey from Netflix, TensorFlow and Angular from Google, and React from Facebook. These libraries exemplify the contributions of prominent companies to the open-source ecosystem, driving innovation and collaboration within the developer community.
2. BACKGROUND AND RELATED WORK The adoption of open-source libraries has transformed the software development landscape, offering developers a vast repository of reusable components and frameworks. This section provides an overview of the evolution of open-source libraries and their impact on software development practices.
2.1 Evolution of Open-Source Libraries The roots of open-source culture can be traced back to the early days of computing, notably with the development of
© 2024, IRJET
|
Impact Factor value: 8.226
|
ISO 9001:2008 Certified Journal
| Page 323