Chainguard today made available via a private beta program a set of curated JavaScript libraries to its portfolio of curated libraries that it provides to secure software supply chains.
Patrick Donahue, senior vice president for product at Chainguard, said that in the wake of a series of incidents involving node package manager (NPM) repositories, including now the infamous Shai-Hulud cyberattack, the need for an alternative Chainguard Libraries for JavaScript repository that reduces the chances of malware being introduced into a JavaScript software supply chain has become especially acute.
The Chainguard Libraries for JavaScript service from Chainguard provides access to a collection of curated builds of thousands of common JavaScript dependencies that were created from source using a platform based on the Supply-chain Levels for Software Artifacts (SLSA) framework originally developed by Google.
Chainguard then makes those libraries available in whatever way they already consume libraries, either through direct download from Chainguard or with existing artifact managers, such as JFrog Artifactory and Sonatype Nexus.
As valuable a service that npm repositories have provided, the simple fact of the matter is that the maintainers of these platforms simply lack the resources and expertise required to curate JavaScript libraries, noted Donahue. As such, the need for an alternative approach that provides enterprise IT organizations with access to a set of curated libraries that are free of known malware is now critical, said Donahue. Additionally, if any new type of malware is discovered, Chainguard will refresh the libraries it provides to eliminate it.
DevSecOps teams have been struggling with securing open source software for years now, but more recently, cybercriminals have become more adept at injecting malware into software supply chains that they hope to activate at some later date. They may not know which downstream application malware might one day manifest itself in, but they are betting that a significant percentage of them will present them with high-value targets after they have been deployed in a production environment.
Hopefully, cybersecurity teams are using scanning tools to discover any malware before an application is deployed, but in many instances, that malware may be difficult to discover because it is hidden in an open source software component that was downloaded from a public repository. More troubling still, much of that malware is being designed in ways that enable it to evade detection by the scanners used by cybersecurity teams.
It’s not clear to what degree cybersecurity threats aimed at software supply chains have become a crisis, but as regulations holding organizations more accountable for flaws in the software they ship become more stringent, more organizations than ever are adopting best DevSecOps practices to improve application security. Unfortunately, adoption of best DevSecOps practices has been historically uneven so the chance there will be more application security incidents in the months ahead is fairly high at a time when, thanks to the rise of artificial intelligence (AI), the pace at which insecure applications are being built and deployed is only going to accelerate.
