Pyrsia – Securing your OSS Supply Chain

With OSS, not knowing where all your software comes from means hard-to-spot risks to the integrity of your services. Without constant identity checks and safety protocols for keys and secrets, open-source dependencies can open the door to breaches, exploits, and supply chain attacks.

Enter Pyrsia — your torch that lights up the open-source supply chain!

Learn from our product engineering team how this new OSS tool enables you to:

Assure package provenance (e.g. Signed commit, Build log attestations, Non-repudiation of publisher)
Create immutable history (e.g. transparency log of every package in its original state and its metadata as it changes over time)
Distribute securely and efficiently (e.g. verifiable integrity of the package and its source)
Independent build network to verify builds from open source repositories


Video Transcript

Thanks for joining the webinar that we are hosting to Showcase Pyrsia and help you secure your OSS supply chain!
So specifically today we are talking about your software supply chain and focused largely on Opera open source software, the reason we are focusing on open source software is that is where we find that a good automation is lacking and Pyrsia tries to solve that problem.
Let’s look at what the state of affairs are today so let me let me make you aware of what this how dark the state of supply chain is today and when I talk about supply chain we are aware of what happened to this supply chain during covert and how how badly hurt we are as consumers but I’m not not talking about this I’m talking about something that hurts me more more dearly and I care about more dearly uh is is that of the software supply chain and when I when I talk about software supply chain this is the most recent thing that comes to my mind and that that also resonates with most people the solar winds attack that happened right before covet and then continues to you know hurt organizations and systems around the world and this was a classic open source software attack where where a particular patch uh was not uh not applied in time and that was exploited uh to cause irreparable damage to systems another one of those another famous one is the one that happened in equif with Equifax a few years ago in 2017 around 2017 time frame where a millions and millions of people’s database uh was was compromised and we still see you know repercussions from that compromise data from people’s credit history and all of that and that happened because Apache starts which was hosting hosting their data was not uh patched in time right and there is no no easy way to do this because a software open source software is all over the place from our research we found out that uh that uh uh people uh people have looked at this problem and about 75 percent of uh software built today contains open source uh components and and that’s huge uh so we need we need solutions to fix this this uh situation uh lock for Shell uh which happened very very recently uh is is on our minds and it also shows how uh how fixing these problems is hard because you typically there are one or two people maintaining and managing this and it’s it’s upon them um to actually to actually fix them and it’s a burden and we need we need better tools and systems to do that to provide the fixes uh and as recently as as May 10th and and and the most secure uh you know uh programming language rust or the community faces uh similar issues so this problem is not going away uh and there are people writing uh recipes on how to actually take over open source software and act maliciously uh you know if if people needed a recipe and that’s how deep this problem is so and we rely we we put our bread and butter on it we put our Healthcare systems on the same software which depends on the same software and so on right and we don’t have a good way to manage it um and whatever the examples that I gave you so far are just the tip of the iceberg these are the most talked about receive the most press coverage receive the most feedback received the most attention there are tons of libraries which are either dependencies or transitive dependent dependencies of other open source libraries which people just Overlook because they don’t have the Tooling in place to address them and and this these this is just a time bomb uh waiting to waiting to explode and uh just to keep things easy for us we just implicitly trust these systems We Trust npm because it is hosted by GitHub uh by uh sorry Microsoft and Pi Pi because it’s my hosted by uh python community and so on right uh and we rely on their systems to verify that whatever they have or they have published the binaries and packages they are trustworthy but that trust trust is also based on very um uh authentication so that we know that the particular committer is committing the binary but there is no way to verify that actually the binary came from the source that the committer is uh committed is claiming and so on right so there is there is a gap between what what they claim and what actually might happen and and those kinds of uh uh what areas of grayness are areas of concern and areas of exploitation so essentially given the State of Affairs this is what we are doing we are taking software that we found on the street and plugging it into our into our production systems into our production systems that manage our finances that manage our health uh that that manage our you know Automation in in terms of traffic and and and and our satellites and all kinds of communication that we do that manage climate change right uh all of them has depended on on such software which which we cannot guarantee or which we cannot prove to even ourselves that you know it has gone through some some sanity tests and and we know that it is trustworthy so what do we do about this uh so given the recent attacks uh even the even the White House has sprung into action and there is an executive order which says that you know you need to act act diligently and figure out what your uh software development material contains publish it and make sure it’s up to date and all of that and they have published uh some documentation around how to do it and there are there’s some activity in the open source world to actually build tools that will make this really easy uh because as as we know if we make it a manual process it takes takes hours and people lose interest and and do a poor job at it and if they have an automated tool then they’re more likely to run it over and over and even even produce reports that uh that help them improve their posture uh there is uh there’s also research going on in within uh within large organizations to to solve this problem one of one of the similar research is the salsa effort um the software supply chain levels of software artifacts and what what it aims to do is actually put uh uh or hold a mirror against you know what we are doing in terms of building software and one of their artifacts is is this very simple CD system diagram even in this simple CD system diagram they show that there are about nine Gates that can be attacked right and even in this simple diagram and we know that from from practice that typical CD systems are way more complicated way more involved have way more steps and hence more gates are attacked vectors uh and there and uh and what what the salsa architecture shows is you know we need to we need to put controls in in all these places instead of instead of just relying on uh on where the binary comes from uh and uh that typically happens you know when when people commit their code either on GitHub or finally commit their binary uh into the binary package holder like uh the like ruby gems or Hi-Fi or npm but everywhere in between there is there is so many uh ways uh it can be attacked and misused uh and Pyrsia uh and and at JFrog uh since we were talking about this um uh this problem we realized that uh for uh for the situations from B to H uh where we actually build binaries we know where the binaries are gone we know where the bit dependencies came from we know how the package is built we manage all that given our experience with artifactory we thought this is the right place for us to come in and prove provide that technology that we we know and and make do have the same effect that we have had in the close or homegrown software to to the open source world so that we can leverage that same uh the same amount of rigor that we present through our technology so that’s that’s where JFrog found found itself now when thinking about this problem and we have this Vision when we talk about software Within JFrog that in the future there’s going to be the software is going to be liquid and to and if we look at that Vision what do we need we need we need a supply chain that you know that is 100 automated oh like I like Iron Man it’s trustworthy uh like a Wonder Woman and it is Dependable um right like it’s Dependable we have to be able to rely on it at all times right like Black Panther and make sure that we can put our money behind this supply chain so that you know the software that we deliver at the end uh is worthwhile uh and it’s worthwhile it’s maintained it’s actually traceable we can produce an s-pomb with so so allow us to present Pyrsia uh where Pyrsia is actually it’s actually multiple things uh it’s uh it’s a consensus based build Network this is where you can build binaries from uh from your git Comics uh and and if you can build it in an independent fashion and we’ll talk a little bit about it uh first here we’ll also have a provenance lot so you know at every point in time where the particular open source software came from what happened to it what vulnerabilities were Discord whatever the actions taken what were the fixes etc etc okay so there will be one central place you can go and ask the question and print your response and also Pyrsia is meant to be from the ground up a decentralized uh offering it is a decentralized package registry which will help you or and protect you against the single point of failures that have been observed with you know either either AWS systems or npm itself going down for for hours together and just hampering uh you know the continuous delivery of of your production software so let’s look at a little bit so and with Pyrsia we want we wanted to build something and this was these were the tenets we were building percyon we wanted something that is secured from the get-go that that cannot be compromised we wanted something that is reliable hence the decentralized nature and we wanted to build it in the open because it is built for open source software it is main meant to be used by any everybody who consumes open source uh and and it is meant to you know solidify this community uh which is hurting uh so we want to build it in the open uh and and that is what we think will bring the trust that is the best way to give bring the trust where it is in the open people can comment critique and and build a better uh better software and better better software tooling like Pyrsia A1 so if you’re wondering where did this name percya come from uh Pyrsia was actually a distributed communication mechanism used by uh by Greeks in by ancient Greeks to communicate over mountaintops of impending dangers or impending domes and we thought that was a good metaphor to uh to apply to the same same problem that we’re facing of an impending doom of the supply chain um and and since we have building a distributed mechanism with our first year was a good name if you wanted to find out more here are a few links uh to learn about how they actually did it pretty interesting history lesson for us so let’s talk a little bit about first hand how Pyrsia is similar to the ancient Pyrsia uh so Pyrsia is based on peer-to-peer technology uh peer-to-peer because you know we know from you know centralized internet that there are many single points of failure uh that hurt us when we are trying to do uh uh trying to do continuous delivery across networks across the regions across across geographies uh so from the get-go it is based on peer-to-peer uh there will be a trusted package Registries which will hook into uh into nodes that we already trust like Docker Hub and npm and all of that but this network itself will be resilient to their failures because now now this network is downloading and caching all that information all those binaries and and giving you uh the resilience that you need and think about think about it in similar ways as you think of distributed nature as git right for git git is for uh for code and Pyrsia will be uh similar for uh for binaries per se will also contain a consensus Bill based buildment Network where a open source committer can just come submit the commit hash uh the prerequisite is that the open source needs to be open source meaning it it has to be on a GitHub or a gitlab repository where uh where it can be accessible by Pyrsia and what per se will do is pull pull uh the latest the commit hash that you that the commuter gave us and pick random nodes on the network to independently build uh build the same software uh and and per se will bring up infrastructure so that those are independent builds and in the end they will verify that they produce the same result and and then once they have they have verified that that result will be committed to the network and then will be available for all the consumers so that way we know that you know it is not built by by this one developer on this one machine which could have which could have its own situations which would have its own malicious software right we are building get independently so that’s what Percy Amps do the other thing that is missing today is there is no single place for you to go and ask these questions like where did this binary come from who actually built this we can glean that information from various sources but again that adds the manual Factor as soon as you ask the manufacturer there is less you know excitement around getting that information Pyrsia aims to provide that all in one place it will tell you where the source came from it will tell you where this binary came from it will tell you how it was built it will tell you because it will be connected to the um vulnerability scanning mechanisms it will tell you if there were vulnerabilities discovered against the software that you’re trying to pull or the version that you’re trying to pull it will also tell you that if that vulnerability was fixed in a in the future release so that you don’t have to download an older version so and that’s what we are calling the provenance log and this provenance log is is like the Crux of of this system so it it needs to be immutable it needs to be easily distributable and that’s where we are trying to leverage uh you know what has been made super Popular by the uh by the cryptocurrency technology but we are going to use the base technology which is the which is the blockchain the immutable ledger so that this information is intact and cannot be modified and tampering this information will be a flag that there is malicious activity against the Pyrsia Network itself and Pyrsian Network can then discard the new updates and and so on and make decisions so that’s how the trust will keep on uh keep on growing because the immutable Ledger will protect against any such attacks against the network itself uh and from the get-go person needs to be really easy to install so as you will see uh first here we can use Pyrsia command line uh which we have started building already uh to fetch images and do things with it but we’ll also we are also ensuring that you don’t have to change your tooling that is in place so if you’re doing Docker pool today we don’t want you to change that because that is that is the hard part there are many more CI series systems that are running things and that are harder to change than developer machine so we are not so much worried about what happens on a single developer machine but if your CI CD System is using a particular Docker image which is open source and and you have to change that from Docker to Pyrsia command line that is that is a no-go so Pyrsia will make sure that it is transparent to you when you are using it in your CI systems and then on top of that first year command line will provide you more information we’ll provide you the prominence log will provide you the intelligence that you need to build other automation so it’s going to be really easy easy for you to use uh so we built a we have started building the uh the minimum viable product as you say uh and and starting to build uh the the first and the second integration so if we started with Docker uh so we have a we have a demo which works uh works like this we have two we can bring up two percent nodes they connect to Docker Hub or one of them connects to Docker Hub uh and and act as a proxy and then in your CI system you continue to use the docker pool by configuring your your Docker to point to Pyrsia and when you pull that per se will act as a cache uh to pull that and the next time you use it or that subsequent builds you run it run against it you don’t have to go to Docker if Docker Hub is down that’s okay for the time being and you can still continue to run your CI CD system if if another system needs to run the same image and is on the same network or connect connect to can connect to the same Personnel via peer-to-peer well you don’t need you don’t need to depend on Doctor up to pull all those and this especially helps when you have to download really huge images and and network uh Network traffic is a challenge right and uh what we are doing is this demo is actually on uh on the uh on YouTube so you can download and look at it and and uh make sure you’re comfortable with it you can also run the steps that are on our website uh to run this demo and I would encourage you to do that and give us feedback on how how it works over the course of the last two three months we have we have made changes to the demo so that it it works smoother and smoother many other people have tried it so it’s a very feedback based mechanism and I have realized that you know the documentation that I wrote is is uh changing and uh from time to time uh so we we appreciate any feedback that you want to give and tell us you know if we if we build the demo well or if we did a bad job in the documentation and please uh and we want this to be a community effort instead of us saying you know this is how you use it so we want this to be Community Driven more and more a little bit about what we are building like what are the guts and how the architecture will look um uh so uh like like I said it will be it will be based on a provenance log where you can ask those difficult questions uh about your s-bomb uh there’ll be a command line interface we are also planning on a desktop client uh but that’s like in a little bit in the future we started with the docker integration which is ready I highlighted the Conan integration in the same blue because as JFrog we know Conan and the C plus community and we think we can build it but for everything that is gray it is really gray in our minds we need we need support from the community we know that I mean we know the Java world but we are not experts and so we need we need community members like yourself to come join us and tell us how we are how we should build it we have started building the basics of neighbor and Gradle integration so that Java Community can integrate but we really need your help so if you’re if you’re passionate about any of these languages or if you don’t see a language uh that you are passionate about please come join uh Pyrsia in the in the in the ways that I’m going to show in a few minutes and and tell us how you would like to help us and some of the some of the talks we did people asked us about you know what is the security model and and there are some some questions that we have to answer there are build there are language uh ecosystems that can produce reproducible builds and in that case it is very easy for you know to build the consensus among amongst the build nodes and and prove that a certain binary was correct uh in the case of uh languages where reproducible builds are not possible uh we rely on trusted Registries like Docker in the case of Docker we fall back on Docker and say hey Docker we built this image is it similar to yours and then we do we we do some comparison or we plan to do some comparison so that we know that it is it is similar and it can provide uh the same binary as a result also we rely on uh on proven systems like GitHub for example where they have the multi-factor authentication the SSH keys and gpg keys and that they they require you to sign in with and we rely on that so that the source itself is verified right and we we also plan to add to that but but nothing nothing that will change you know significantly that side of things uh but we we will add more more stringent security requirements on top of what quality exists uh so to get started you can install uh Pyrsia release is available on our on our GitHub repo and you can install first yeah uh you will you’ll get some basic um uh commands that you can use with the Pyrsia command line interface uh you will need to configure your Docker desktop a little bit uh instructions are in the demo documentation but you do not need to change your CI and CD scripts you can just continue to do Docker Pro and it will it will magically work and you will get the efficiencies that first they can provide uh what is a little bit about what is inside um Pyrsia uh we have chosen rust as the language for development because we are from the get-go we wanted to stop support multiple operating systems we we wanted to compact low attack Vector surface binaries um and rust seem to be the right language to do that or having said that there are a lot of things we are learning about rest so if you if you if you don’t care about what else we are building but are passionate about trust please please we we appreciate help in that direction as well and if you care about both those then that that is even more amazing and we are hiring people to you know uh help us with how we are building things so if you’re interested in uh you know uh joining the team in in different ways let us know uh we have built the education with Docker we are building a similar one with uh with Java just the beginnings of it uh it is based on uh a project that already exists and has been successful ipfs uh we are using the lit p2b library that they have uh they have kindly uh open source uh that and we are using the rust limitation of that and we have found that we are actually breaking uh you know breaking the boundaries of that and we are making contributions to back to lip P2P even uh through this effort and for the immutable Ledger implementation we are using lfbfd so that as a consensus mechanism so that we we prove that uh you know uh whatever we are committing to the to the network uh is trustworthy what is coming up next we are actually a really hard uh really working hard on making the provenance log usable so that you can use your uh use it to build your s Mom you can query elements you can make security decisions based on that and you can actually write automation on top of the Providence log uh so that you can make release decisions on that so that’s where we are going uh we are also working on providing the high throughput that we are promising so that we can Leverage The peer-to-peer Network to stream large binaries fast to you and and then we are doing the build node side of things where we are going to build um uh binaries from different languages on Pyrsia uh as far as Pyrsia in terms of collaborating with the community uh we’re already using the P2P rust implementation we are uh we are talking to the uh to that group which builds this and we have actually uh ported a couple of changes from the golang version uh back to leave p2b um just because it was lacking in the rust implementation uh we are using the lfbfd rust implementation as well uh and working with that Community to understand you know how it will fit with personal and we are closely looking at the six store and Note 3 V2 for future integration because we don’t want to reinvent that outside of things uh six store and note we are doing doing what is right for uh for signing things on the source side of things and we don’t want to ignore uh that part we want to just leverage that and put the rigor that percia has on top of that so that you can you can then use automation that you have with sixstore as well as uh with first year uh to to build your supply chains so just a shout out Pyrsia is open source um we have had actually way more than 25 public meetings uh they’re all uh published under the um the open ssf under Linux Foundation um so you can find uh find all of that information on the slack channel that we have uh we have a bunch of contributing organizations actually the the roster of contributing organizations has grown uh recently um Huawei future Ray Oracle have joined uh joined us and they are already starting to contribute uh to how we build um how we build uh Integrations with different languages uh and and we are pretty active on GitHub and if you wanted to you know come chat with us or send a PR we welcome all those interactions uh so to get involved um just go to our website at the bottom of the website you’ll find a bunch of links to YouTube and Twitter and slack and uh and Google Groups so that you can join us in the right way uh download and install give us feedback uh using our Twitter handle or any other means uh join team meetings um listen to past recordings to learn how we are doing things uh and uh there are there we have marked some uh uh good first issues if you wanted to start coding as well uh so we welcome all in every uh way you want to participate uh and to summarize um Supply chains attacks are still here uh even with with or without covet the attackers haven’t stopped doing whatever they were doing and a lot and a lot of them uh I would say majority of them uh Leverage The vulnerabilities in the open source um landscape and and they they take advantage of that right so remember that and even the NSA hackers can’t can’t get enough sleep because you know supply chain attacks uh attacks are happening every day and we need to we need to secure it now and for that we need every single one of you at JFrog we believe that every one of us is a super frog and hence you know this this pretty picture uh so we we want all of you super frogs to come join us and and help us build a better um tomorrow.
Thank you very much for finding us. You can find us on our website very easily or find us on Twitter, thank you!

Release Fast Or Die