This website uses cookies, pixels, and similar technologies (“cookies”), some of which are provided by third parties, to enable website features and functionality; measure, analyze, and improve site performance; enhance user experience; record user interactions; and support our advertising and marketing. We and our third-party vendors may monitor, record, and access information and data, including device data, IP address and online identifiers, referring URLs and other browsing information, for these and similar purposes. By clicking “Accept all cookies,” you agree to such purposes. If you continue to browse our site without clicking “Accept all cookies,” or if you click “Reject all cookies,” only cookies necessary to operate and enable default website features and functionalities will be deployed. If you are visiting our Site in the U.S., by using this site or clicking “Accept all cookies,” “Reject all cookies,” or “Preferences,” you acknowledge and agree to our Privacy Policy, Cookie Policy, and Terms of Use.
Accept all cookiesReject all cookiesPreferences
mission
portfolioknowledge hub
about
careers

library

Blog
/
Cyber

The Next KYC – Know Your Coder

October 22, 2024
Dan Bocknek | Senior Technology Architect, Adrienne Lewis | Research Manager, Brian Norville | Vice President, Cyber
Read the Paper
As open-source software becomes ubiquitous, the integrity of the code and the credibility of its contributors are more important than ever.

“KYC” is an old business adage everyone is familiar with, and for good reason. “Know Your Customer” is essential in business – not only for marketing and relationship purposes, but also to maintain compliance and ensure due diligence in the financial services industry, as an example. While the “Know Your Customer” guidance certainly stands the test of time, there’s a new KYC to consider that is just as essential to your organization’s success – Know Your Coder.

Consider this – open-source software touches most computer systems at some level. The collaborative nature of open-source projects and the ability for contributors around the world to participate in the development of the software often leads to innovative solutions. The ability to examine the source code also typically adds to the public trust of the software. But with little-to-zero vetting taking place on the digital identities of these contributors, additional scrutiny should be placed on the open-source code invoked in a modern enterprise IT environment.

In fact, recent events in the open-source software development world shine a bright light on the risks associated with integrating third-party code. The most glaring example is the March 2024 XZ Utils incident, where a contributor spent years building trust within an open-source repository group to surreptitiously implant deleterious code, potentially impacting nearly all Linux operation systems. While open-source code packages can be developed by individuals, groups, or corporations, the ecosystem for open-source code development is largely self-governed and could be vulnerable to this type of social engineering by a bad actor.

Another emerging threat to the software supply chain is recently reported instances of “reputation farming.” This involves coders contributing to closed projects to falsely increase their credibility, making it even more difficult to spot nefarious actors or incompetent coders. This new threat is yet another reason to be vigilant and understand more about your software and the origins of the underlying code.

So, what is an organization to do? How do we implement this new KYC?

We believe this could start with the large hosting repositories like GitHub and HuggingFace conducting KYC campaigns of their own by vetting contributor identities, building trust scores into the libraries, and engaging in third-party security audits. Over the last two years GitHub has enacted changes to improve supply chain security by requiring two-factor authentication for its code contributors, adding in attestations to software artifacts, and visualization tools for software dependencies. This massive effort over an 18-month span also highlights the vast challenges associated with addressing this threat and the need for a multi-pronged approach to most effectively minimize risk.

As part of that multi-pronged approach, organizations can also leverage commercial solutions to incorporate KYC into their existing security framework. A critical step in KYC is insisting on coder-tagged lineage linked to a Software Bill of Materials and staying on top of vulnerabilities in open-source libraries. Companies like Lineaje are innovating in this space by integrating SBOM security features to the CI/CD pipeline and providing a central management and policy interface. Other commercial solutions to reduce risk in the software supply chain include Chainguard Images, which provides secure versions of open-source code wrapped in an SLA to secure your supply chain by default.

We at IQT are looking at this problem closely and have been investing against software supply chain security for several years. We will continue to monitor this space as fallout from the XZ Utils incident continues to percolate through the cybersecurity startup community and other threats to the software supply chain emerge and evolve.  IQT expects to make investments in visionary companies in this space to complement our existing software security portfolio. If you have a unique solution to evaluate code contributions and contributors in a meaningful way, we’d love to hear from you!

Please contact us at cyber@iqt.org so we can include you in our market map.