3rd Party Risk Management , Application Security , Governance & Risk Management

Supply Chain Integrity: The Role of Verified Reproducible Builds

David Wheeler Describes a Way to Ensure Code Is Reliable
David Wheeler, director of open-source supply chain security, Linux Foundation

The SolarWinds supply chain compromise has raised questions about how organizations can detect software that has been tainted during the vendor’s development and build process.

See Also: Zero Trust Webinar Tomorrow: Research Insights Exploring the Actionable, Holistic & Integrative Approach to Security

“It doesn’t matter how good or how secure your source code is because what your customers are actually installing could be malicious, which is exactly what happened in the SolarWinds case,” says David A. Wheeler, director of open-source supply chain security at the Linux Foundation.

The idea of a verified reproducible build is gaining traction. In such a build, the code can be verified as containing only code that came from the original source code.

“That means your build is designed so it will produce the same bits every time given the same source code,” says Wheeler, who recently wrote a blog post on the subject for the Linux Foundation.

Wheeler says that most software now is not designed to be reproducible, but the Linux Foundation has funded some projects for reproducible builds. A new Linux Foundation project, the Open Source Security Foundation, is discussing whether to take on reproducible builds as a project.

Rejiggering software development systems to generate reproducible builds will take money and time, Wheeler acknowledges. But the changes that need to be made to a build environment only have to be undertaken once, he notes.

In this video interview with Information Security Media Group, Wheeler discusses:

  • How verified reproducible builds work;
  • The security benefits of reproducible builds;
  • The efforts underway to move to the model.

Wheeler is also an adjunct professor of computer science at George Mason University. His expertise encompasses software supply chain risk management, enterprise architecture, validation and software development.

About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.