FOSS Code Supply Chain Assurance
👋 Hi NGI-er:
Curious about the future of software security and open-source innovation?
Meet Philippe Ombredanne and FOSS Code Supply Chain Assurance!
🧑🎓Philippe makes Free and open-source software (FOSS) reuse more accessible and safer. He leads AboutCode, creating open-source tools and standards for software discovery, licensing, and security compliance.
💡 FOSS Code Supply Chain Assurance enhances security by verifying the integrity and origin of open-source software packages, preventing attacks from malicious code modifications.
💫Keen on learning more? Check out our latest NGI Interview💫
Can you introduce yourself and your project?
My name is Philippe Ombredanne, and I’m on a mission to make it easier and safer to reuse FOSS code. I am the lead maintainer of AboutCode, which builds best-in-class open-source Software Composition Analysis (SCA) tools, open data, and community standards for open-source discovery, license, and security compliance.
FOSS Code Supply Chain Assurance mitigates attacks from malicious modifications of software dependencies in the open-source package supply chain. This free and open-source software (FOSS) project is building a new system to verify the integrity of deployed code packages and validate their origin with external data sources. For example, it detects if a package matches verified or known code by mapping source and binaries exactly and approximately.
What are the key issues you see with the state of the Internet today?
Security is the problem. The status quo of fast and easy communication and free sharing of private data means malicious cybersecurity attacks can cause more damage to accessible data.
The internet was built, developed, and expanded thanks to free and open-source software (FOSS). The explosion of FOSS usage across everything digital means it is straightforward for developers to consume, provision, integrate, and reuse FOSS. A sophisticated malware attack on FOSS can be disastrous for developers and users, companies and countries, industries and sectors, with several of these attacks, like the xz-utils backdoor, unleashing mayhem on business and society in recent years.
Securing all the FOSS packages reused is a critical issue with the current state of the internet today.
How does your project contribute to correcting some of those issues?
Software is built with components. Every software application includes FOSS components. This enabled – and continues to enable – software to eat the world because open-source libraries and packages are easy to download and install – a programmer could install hundreds in seconds.
The difficulty is assuring that the downloaded components aren’t viruses, malware, or trojans. Since there is little friction for consuming, downloading, and reusing FOSS, developers might not know precisely what those packages are, which opens up the potential for bad actors and malevolent attacks.
FOSS Code Supply Chain Assurance identifies what software is made of. The project scans code to observe and recognize distinguishing features and then matches the code against databases of those features to identify outliers or red flags.
✨As a FOSS project to improve the security of FOSS packages, FOSS Code Supply Chain Assurance ensures that the different FOSS components used in various software are genuine✨
What do you like most about (working on) your project?
There are many different ways to build software, like applications, operating systems, and libraries. We build tools for software developers to make it easier and safer to reuse FOSS code.
With a project like FOSS Code Supply Chain Assurance, we are proud to help others do the right thing.
The best part about working on this project is being part of the vibrant open-source community sharing feedback, values, and ideals.
Where will you take your project next?
Our goal is to build the best tools as free and open-source software.
We are working on automating more software composition analysis to improve the accuracy of the detected code origin, identify more injected scripts from malicious actors, and build apps to manage the process and mitigate the vulnerabilities uncovered.
We plan to continue to provide best-in-class reference data for software licenses, packages, and vulnerabilities to build a true internet commons that can benefit everyone. With new regulations for software development around product liability and cybersecurity like the EU Cyber Resilience Act (CRA), the EU Product Liability Directive (PLD), and US Executive Order 14028, we need to ensure our tools can enable others to build software (and more FOSS) more efficiently with minimal friction from these regulations – all while improving their security posture.
How did NGI Assure help you reach your goals for your project?
NGI grants – especially the one from NGI Assure – helped us realize our vision and develop our tools. These tools and standards are used in almost every software organization worldwide, especially in Europe.
Cascade grants from NGI are essential support for open-source innovation in software development to build a better and more open internet.
Do you have advice for people who are considering applying for NGI funding?
NGI is a unique program that develops solutions. Unlike traditional funding programs designed exclusively for researchers and academics, your skills, competencies, knowledge, and passion for delivering open source are what matters.
My advice is to cultivate your passion and focus on innovation. Even if your submission is not accepted, the expert feedback is invaluable for continuing to develop your ideas and submitting them again for the next open call.
Do you have any recommendations to improve future NGI programs or the wider NGI initiative?
Cascade funding with small grants is lovely and extremely powerful. These small investments for significant results reach a wider audience that only sometimes benefits from traditional grants. This has also proven to promote important open-source initiatives.
With FOSS being free, the difficulty is sustained funding for sustained innovation. Software maintenance is only sometimes exciting work, but it is essential for the long-term success of FOSS initiatives.
More significant, long-term grants for successful, responsible grantees will expand the impact of the initial deliverable and provide more support for long-term maintenance, visibility, and sustainability.
