Moving the Needle: Eclipse Foundation Security Breakthroughs in 2023

As we approach the end of 2023, it's an opportune time to reflect on our significant accomplishments in strengthening the security posture of the Eclipse Foundation and the supply chain of its projects. This year has been marked by a series of focused initiatives aimed at enhancing our common infrastructure and individual security, ensuring a robust defence against potential cyber threats. We have been able to achieve all of this thanks to the funding from the OpenSSF Alpha-Omega project.

Hardening Our Common Infrastructure

Recognising the necessity of aligning with industry benchmarks, we initiated a campaign to upgrade our IT infrastructure. This process involved a comprehensive IT risk assessment, identifying potential threats, and developing a targeted strategy to mitigate these risks. As a result, we have not only reinforced our defences but also enhanced our operational effectiveness.

We have allocated resources towards advanced monitoring tools, enabling us to continuously oversee the security status of our externally accessible assets. This proactive approach has allowed us to assist numerous projects in adopting current cybersecurity standards for their websites, such as updated TLS versions, secure redirections, and robust security headers. Implementing these practices within our infrastructure has also allowed us to standardise the configuration across our own sites. While maintaining security is an ongoing endeavour, we are proud to say that our efforts have positioned us well above the industry average, a status we are committed to maintaining.

Looking ahead to 2024, our focus will shift towards intensifying the security within our internal network. This will include expanding our monitoring capabilities, integrating more sophisticated intrusion detection systems, and reinforcing the security framework of our essential backend services, including our authentication system.

Emphasising Strong Identity and Two-Factor Authentication

This year, we actively participated in GitHub's initiative to mandate 2FA for our most engaged contributors. Initially, it was uncertain who would be encompassed by this mandate. As such, we have been monitoring the adoption rate to ensure that it was reaching our global objectives. We observed the adoption rate soar from under 60% at the start of the year to over 90% by December. We're gearing up for the final phase of this initiative in the upcoming year, where 2FA will become compulsory across all Eclipse Foundation’s owned GitHub organisations. This means every contributor with a project on GitHub will be required to enable 2FA on their accounts.

Furthermore, we have had a similar initiative on our own instance of GitLab. Following multiple communications with our GitLab project contributors, we successfully enforced 2FA on 11 December.

Refined Processes for Vulnerability Response

Our efforts this year also have focused on overhauling the 'Managing and Reporting Vulnerabilities' section of the Eclipse Foundation Project Handbook. This revamp has produced documentation, guiding our community in best practices for vulnerability management and outlining the support provided by the Eclipse Foundation in this area.

We have also streamlined our communication protocols to ensure discrete and efficient handling of vulnerability reports. Presently, there are four distinct methods to report vulnerabilities to projects:

• For projects hosted on gitlab.eclipse.org with an opted-in dedicated security tracker project, reporters should file confidential issues within this tracker.
• For projects on GitHub that have chosen private security advisories, reporters should submit private issues on GitHub.
• If the reporter possesses an Eclipse Foundation account, they can log the report as a confidential issue on the general vulnerability issue tracker. Here, the Eclipse Foundation Security Team will notify the respective project team.
• As a last resort, reports can be sent to the security@eclipse-foundation.org mailing list. The security team will then create a confidential issue on the general vulnerability issue tracker to facilitate communication with the project team.

Throughout 2023, we have published over 24 vulnerability reports (CVEs), more than doubling our output from 2022.

Upgrading Common Development Infrastructure

We have substantially upgraded our platform and operating system code signing services, including Authenticode for Windows and macOS code signing along with notarisation, making them more resilient.

Authenticode, Microsoft's technology for signing executable files and scripts, enables users to verify the authenticity and integrity of software on Windows. Projects signing their binaries with Authenticode assure that the software has not been tampered with and originates from a reliable source, such as the Eclipse Foundation. In a similar vein, macOS code signing, coupled with Apple's notarisation process, provides comparable security for macOS users. This notarisation process entails submitting software to Apple for automated checks to confirm it's free from malicious content. This step not only guarantees the safety of the software for users but also facilitates smoother installation on macOS, as notarised apps are more likely to be approved by Apple's Gatekeeper security feature. The Eclipse Foundation offers both these services, as they require certificates from specific certificate authorities. These certificates can be challenging and expensive for an open source project to obtain independently.

Finally, we have completed the integration of our identity provider with the staging instance of sigstore. Sigstore is a project aimed at improving the security of the software supply chain by enabling the easy adoption of cryptographic software signing, backed by transparency logs. This is particularly beneficial for open source software, where ensuring the integrity and origin of code is crucial. By integrating Sigstore, we provide our projects with the means to sign their software artefacts, containers, and binaries more securely and transparently. This mitigates a range of supply chain threats, such as software tampering or unauthorised modifications, by ensuring traceability and verifiability of the software's origin and integrity throughout its lifecycle.

OtterDog: Transforming Repository Management

OtterDog, our innovative tool, is revolutionising the management of GitHub organisations. Utilising an infrastructure-as-code approach, it enables large-scale management of repository configurations and policy enforcement. This tool allows for the hosting of infrastructure configurations in separate repositories within each organisation. Contributors can propose changes through pull requests, which can only be applied after approval by designated teams.

This innovative approach has markedly enhanced our interaction with committers. Upon deploying OtterDog in an organisation, we witnessed a surge in engagement to refine and secure project configurations on GitHub. To date, OtterDog has been adopted by 60 out of 170 GitHub organisations managed by the Eclipse Foundation, leading to the creation of over 300 pull requests by the community. These changes vary from minor adjustments in repository descriptions to the implementation of branch protection rules. The latter has seen increasing adoption, significantly reducing the risk of supply chain attacks. In line with this, we are actively monitoring key settings, such as protection rules on default branches or secret scanning, initiating the implementation of security policies across all our projects.

Fostering a Culture of Security Through Audit Support

This year, we have successfully conducted four major security audits, encompassing Eclipse p2, Eclipse JKube, Eclipse Mosquitto, and Eclipse Jetty. These audits were carried out in collaboration with the Open Source Technology Improvement Fund (OSTIF).

The significance of these audits in the open source community cannot be overstated. During these reviews, a number of vulnerabilities and Common Vulnerabilities and Exposures (CVEs) were identified and subsequently resolved. This proactive approach to security is particularly crucial in open source projects for several reasons.

Firstly, security audits allow for the early detection and rectification of vulnerabilities that might otherwise be exploited by malicious actors.

Secondly, conducting regular audits fosters a culture of security within the open source community. It demonstrates a commitment to responsible and proactive security practices, setting a standard for other projects to follow. This culture is essential in building trust among users and developers, assuring them of the project's dedication to safeguarding their interests.

Finally, these audits contribute to the overall health and sustainability of open source projects. By identifying and addressing security issues, projects can maintain and improve their reputation, attract more contributors, and ensure a more secure experience for everyone involved.

Eclipse Temurin About to Reach SLSA Build: Level 3 Compliances

Eclipse Temurin, a key Eclipse Foundation project, stands out for its high-performance, cross-platform, open source licensed OpenJDK distributions, all of which are Java SE TCK-tested. It is about to achieve a notable milestone in software supply chain security by attaining Level 3 compliance in the SLSA (Supply chain Levels for Software Artefacts) build track.

SLSA's build track emphasises trustworthiness and completeness in package artefact provenance, which includes details about the entity that built the artefact, the process used, and the inputs involved. Level 3 compliance, which Eclipse Temurin will reach on their next release in January, involves running builds on a hardened platform with strong tamper protection, mitigating a number of potential supply chain attacks.

In addition, Eclipse Temurin also ensures reproducibility of its builds. Reproducible builds are a core aspect of trustworthy software supply chains, as they allow for verification that the binaries are consistently created from the same source code. 

Looking Ahead

As we celebrate these achievements, our journey towards a more secure digital environment continues. We remain dedicated to advancing our cybersecurity initiatives, staying ahead of emerging threats, and fostering a culture of security that permeates every aspect of our organisation. 

We are happy to announce that the OpenSSF Alpha-Omega project renewed its trust in the Eclipse Foundation by funding some more work to be done in 2024. We’ll have more to say on that in upcoming publications.

Get Involved

Learn more about the Eclipse Cyber Risk Initiative, and how your organisation can join the effort to strengthen the open source supply chain. Please subscribe to the ECRI mailing list to join the initiative, or to follow its progress.