3rd Party Risk Management , Application Security , Governance & Risk Management

Supply Chain Integrity: The Role of Verified Reproducible Builds

David Wheeler Describes a Way to Ensure Code Is Reliable
David Wheeler, director of open-source supply chain security, Linux Foundation

The SolarWinds supply chain compromise has raised questions about how organizations can detect software that has been tainted during the vendor’s development and build process.

See Also: InfoSec: Applying AI to Third-Party Risk Management to Achieve Consistency

“It doesn’t matter how good or how secure your source code is because what your customers are actually installing could be malicious, which is exactly what happened in the SolarWinds case,” says David A. Wheeler, director of open-source supply chain security at the Linux Foundation.

The idea of a verified reproducible build is gaining traction. In such a build, the code can be verified as containing only code that came from the original source code.

“That means your build is designed so it will produce the same bits every time given the same source code,” says Wheeler, who recently wrote a blog post on the subject for the Linux Foundation.

Wheeler says that most software now is not designed to be reproducible, but the Linux Foundation has funded some projects for reproducible builds. A new Linux Foundation project, the Open Source Security Foundation, is discussing whether to take on reproducible builds as a project.

Rejiggering software development systems to generate reproducible builds will take money and time, Wheeler acknowledges. But the changes that need to be made to a build environment only have to be undertaken once, he notes.

In this video interview with Information Security Media Group, Wheeler discusses:

  • How verified reproducible builds work;
  • The security benefits of reproducible builds;
  • The efforts underway to move to the model.

Wheeler is also an adjunct professor of computer science at George Mason University. His expertise encompasses software supply chain risk management, enterprise architecture, validation and software development.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.