prov·e·nance

• the place of origin or earliest known history of something.

  “an orange rug of Iranian provenance”

  “an npm package of jongleberry provenance”

• a record of ownership of a work of art or an antique, used as a guide to authenticity or quality.

Code Provenance

• a record of ownership for all code that ends up in a product or service

Why do we need code provenance?

The same reason why we need ingredients labeled on food products. As a consumer of a product, you want to be able to understand the amount of risk the product is imposing on you. Therefore, it is expected that the producer provides that information to consumers.

Source: xkcd.com

Why is code provenance a hard problem to solve?

Because the modern application supply chain is complicated. The final product includes code produced

• from a variety of sources:
  • in-house code written by developers of a company
  • open source software sourced from
    • external package registries
    • public code repositories
    • binary repositories
  • third party products
• by different actors - some sloppy when it comes to security, and others deliberately malicious
• on different hardware or infrastructure
  • developer laptops
  • infrastructure hosting OSS package, code or binaries
  • infrastructure used to build software (CI systems)

What are some proven strategies to achieve better code provenance?

I’m discussing “Supply Chain Security: Code Provenance” with Shrikant Pandhare. Tuesday, Mar 2 at 5:30 PM PST on Clubhouse. Join us! https://www.joinclubhouse.com/event/MRle0jB3

Why this topic and why now?

This is not a new topic for security practitioners, but there is a renewed focus on it because of the extensive damage caused by the SolarWinds breach and the dependency confusion attack.

As a result several folks working in security have received directives to tackle this better. So, I hope we could discuss this topic to death and learn from each other!