SolarWinds Has Everyone Staring Hard at the Software Supply Chain
In SolarWinds' wake, package registries and security researchers are pushing code-signing, provenance, and MFA for publishing to the front of the conversation.
The SolarWinds breach earlier this month keeps rippling outward, and the part I find most interesting isn’t the breach itself — it’s what people are doing about it now. Once you internalize that attackers compromised a trusted software update and rode it straight into a pile of US government networks, you start asking uncomfortable questions about every dependency you npm install or pip install without a second thought.
That’s exactly the conversation happening among security researchers and package-registry maintainers right now. GitHub, which wrapped up its acquisition of npm earlier this year, is one of the parties people are watching closely, since npm sits at the center of an enormous share of the web’s dependency graph. The renewed attention is landing on a few concrete areas: code-signing so you can verify a package actually came from who it claims to have come from, provenance tracking so you can trace a build back to its source rather than trusting a blob that showed up in a registry, and multi-factor authentication for the accounts that are allowed to publish packages in the first place.
None of these ideas are new. People have been asking for signed packages and mandatory 2FA on publishing for years. What’s different is that SolarWinds gave the argument a concrete, high-stakes example to point at. “Someone could compromise a build pipeline and slip malicious code into a trusted update” stopped being a hypothetical and became the plot of a real incident that touched federal agencies. That tends to move things that stalled out in GitHub issues and standards-committee backlogs for a long time.
Why this is a supply-chain problem, not a patching problem
The instinct after any breach is to ask “did we patch fast enough,” but that framing doesn’t fit here. The victims weren’t running old software — they were running software from a source they had every reason to trust. That’s the actual lesson developers are chewing on this week: your security posture is only as good as the weakest link upstream of you, and most of us have no real visibility into that chain. You can pin your direct dependencies all day, but transitive dependencies, build servers, and CI credentials are all attack surface too.
I don’t think this gets fixed in a week or even a quarter. Code-signing and provenance tooling for something the scale of npm or PyPI is a genuinely hard engineering and coordination problem — registries have to balance security against not making it painful to publish a package, and adoption has to be broad enough to matter. But heading into 2021, I’d bet supply-chain security stops being a niche concern for security teams and becomes something ordinary developers are expected to have opinions about. If your team hasn’t looked at where your CI credentials live or how your build artifacts get signed, this is a reasonable week to start.