Skip to main content
  • Log in
  • Manage Cookies
Eclipse Foundation
Download
  • Projects
  • Working Groups
  • Members
  • Community
    • Marketplace
    • Events
    • Planet Eclipse
    • Newsletter
    • Videos
    • Blogs
  • Participate
    • Report a Bug
    • Forums
    • Mailing Lists
    • Wiki
    • IRC
    • Research
  • Eclipse IDE
    • Download
    • Learn More
    • Documentation
    • Getting Started / Support
    • How to Contribute
    • IDE and Tools
    • Newcomer Forum
  • More
      • Community

      • Marketplace
      • Events
      • Planet Eclipse
      • Newsletter
      • Videos
      • Blogs
      • Participate

      • Report a Bug
      • Forums
      • Mailing Lists
      • Wiki
      • IRC
      • Research
      • Eclipse IDE

      • Download
      • Learn More
      • Documentation
      • Getting Started / Support
      • How to Contribute
      • IDE and Tools
      • Newcomer Forum
    • Search

  1. Home
  2. Blogs
  3. Mikaël Barbero's blog
  4. Open Source Software Supply Chain Security starts with developers

Open Source Software Supply Chain Security starts with developers

Tuesday, November 22, 2022 - 10:00 by Mikaël Barbero

Open Source Software Supply Chain is at risk: threat actors are shifting target to amplify the blast radius of their attacks and as such increasing their return on investment. Over the past 3 years, we’ve witnessed an astonishing 742% average annual increase in Software Supply Chain attacks. To make it worse, the attack surface of the supply chain is wide. Covering it all requires a deep scrutinity of many factors. However, there is a simple thing, easy, and free, that every open source developer should do right now: activate multi factor authentication (also known as two factor authentication) on all development related accounts.

At the origin of any software, there is code written by developers. In the case of open source software, this code published on a publicly accessible code repository. The permission to write to these repositories is protected by the authentication system of the hosting platforms. By default, for most of them, it means basic password-based authentication. Simple and convenient, password-based authentication is also very fragile. It can be attacked by social engineering, credential theft or leakage, and many other low cost attacks to get access to developer accounts.

Compromised accounts can then be used to push malicious changes to code they have access to. The risk is of course for the developer associated with the compromised account, but all downstream users of the affected code are also at risk. It can be code from other developers that depends on the infected code, but also users of products that may now run malicious code that will be used for more credentials theft and reach an even larger number of targets.

As such, it is the responsibility for every Open Source developer to diligently protect their accounts. The very first line of defense is to move beyond basic password-based authentication and to activate two factor authentication (2FA). This is no silver bullet, and there are ways to compromise 2FA-protected accounts. But it is the most cost-effective solution to protect an account: attacking an account protected by 2FA is several orders of magnitude more complex than targeting an account using basic password-based authentication.

If you’re an Open Source software developer, I encourage you to activate 2FA today, on all platforms where it’s available. See below links to documentation how to activate 2FA for code under the stewarship of the Eclipse Foundation:

  • For projects hosted at GitHub
  • For projects hosted at gitlab.eclipse.org

If you are willing to make 2FA mandatory for all committers on your project, feel free to open a ticket at our help desk, and we will work with you to make it happen.


See also: Software security starts with the developer: Securing developer accounts with 2FA from https://github.blog.

Source: 
https://mikael.barbero.tech/blog/post/2022-11-22-2fa-for-developers/
  • Mikaël Barbero's blog

Eclipse Foundation Blogs

  • Wayne Beaton (821 posts)
  • Mike Milinkovich (322 posts)
  • Ivar Grimstad (254 posts)
  • Benjamin Cabé (131 posts)
  • Tanja Obradovic (60 posts)
  • Thabang Mashologu (37 posts)
  • John Kellerman (31 posts)
  • Paul Buck (22 posts)
  • Brian King (19 posts)
  • Frédéric Desbiens (19 posts)
  • Mikaël Barbero (17 posts)
  • Christopher Guindon (16 posts)
  • Gael Blondelle (14 posts)
  • Hailley Seed (10 posts)
  • Denis Roy (9 posts)
  • Hudson Kelly (8 posts)
  • Michael Plagge (4 posts)
  • Serina El Salibi (3 posts)
  • Shabnam Mayel (3 posts)
  • Shanda Giacomoni (3 posts)
  • Jacob Harris (2 posts)
  • Clark Roundy (2 posts)
  • Karla Ferrer (2 posts)
  • Paul White (1 posts)
  • Stephanie Swart (1 posts)
  • Sharon Corbett (1 posts)

Recent blog posts

  • Organising Your Eclipse Open Source Project Team
  • Hashtag Jakarta EE #168
  • New SLSA++ Survey Reveals Real-World Developer Approaches to Software Supply Chain Security
  • Take the 2023 Jakarta EE Developer Survey
  • Hashtag Jakarta EE #167
  • Product Liability Directive: More Bad News for Open Source
  • Rodrigo Pinto: Eclipse Cloud DevTools Contributor of the Month!
  • Hashtag Jakarta EE #166
  • March 2023 Update on Security improvements at the Eclipse Foundation
  • Eclipse Cloud DevTools Digest - January and February, 2023
More

Eclipse Foundation

  • About Us
  • Contact Us
  • Sponsor
  • Members
  • Governance
  • Code of Conduct
  • Logo and Artwork
  • Board of Directors
  • Careers

Legal

  • Privacy Policy
  • Terms of Use
  • Copyright Agent
  • Eclipse Public License
  • Legal Resources

Useful Links

  • Report a Bug
  • Documentation
  • How to Contribute
  • Mailing Lists
  • Forums
  • Marketplace

Other

  • IDE and Tools
  • Projects
  • Working Groups
  • Research@Eclipse
  • Report a Vulnerability
  • Service Status

Copyright © Eclipse Foundation. All Rights Reserved.

Back to the top