JPMorgan Global CISO Pat Opet has flagged the use of frameworks like Sigstore and the Alpha-Omega program as critical in improving open source software (OSS) security – urging more public-private collaboration.
OSS “drives innovation to many technologists working on world-class solutions, including JPMorgan Chase’s 57,000+ technologists, who incorporate thousands of open source packages in developing tools that give our company, clients, and customers an edge,” the global CISO said.
His reference to both programmes was a nod to the Open Source Security Foundation (OpenSSF) which oversees them – and which JPMorgan was a founding member of – and came in the wake of its recent DC Summit.
See also: Kubernetes has standardised on sigstore
What is sigstore?
sigstore is the Linux Foundation's free software signing service. First released in March 2021, it includes brings together free-to-use open source technologies like Fulcio, Cosign and Rekor to handle the digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software; letting developers securely sign software artifacts such as release files, container images and binaries with signatures stored in a tamper-proof public log.
The service is free to use.
The JPMorgan Global CISO added in a short blog: "There is more to be done in improving tooling to address software supply chain attacks.
"We see significant importance in supporting the enhancement of OSS evaluation tools, like the Security Scorecard, an automated security tool to help open source users understand the risks of the dependencies in their software, and Software Bill of Material (SBOM) capabilities... our security teams are working towards such solutions and collaborating with organizations like OpenSSF to build better integrated tooling and capabilities that will ultimately promote safer practices and prevent future significant software supply chain security breaches," he noted.
JPMorgan Chase, along with other financial institutions, established the Financial Services Information Sharing and Analysis Center (FS-ISAC) Supply Chain working group to socialize emerging supply chain threats to the Financial Sector and create guidance to address threats, such as the Software Supply Chain Primer White Paper published in 2022.
