AnyTree: Guarantee The Security of Your Software Supply Chain
Introduction
GOSH introduces AnyTree — a software deployment system built to guarantee the security of your software supply chain. AnyTree is the result of 12 months of work to offer businesses a comprehensive solution to software security. The GOSH Docker Extension, unveiled at DockerCon 2022, was the first step, enhancing the security of Docker Containers so that developers can be sure their builds were never at risk. GOSH has worked alongside Ambassador Labs to ensure the integrity of Docker Containers. The addition of the GOSH AnyTree Firewall for Telepresence offers an extra layer of security, verifying the authenticity of Docker containers and any changes made to them, and builds Docker containers exclusively from approved sources. This commitment to security has led us to spearhead the Government Blockchain Association (GBA) Secure Software Supply Chain Working Group (SOSSEC) working group.
Software Supply Chain Attacks Are An Ever-Present Threat
Software supply chain attacks have evolved into a persistent existential threat to businesses, necessitating significant investment in protective measures. The total cost of software supply chain cyberattacks to businesses is predicted to exceed $80.6 billion globally by 2026, up from $45.8 billion in 2023, according to Juniper Research. The fact is, code produced by developers is, as a rule, not secure (most developers aren’t security experts) adding to the cost of protecting the product once delivered.
One new, and particularly acute, vector of attack is on Machine Learning and Artificial Intelligence models, through Data Poisoning. Attackers can manipulate and tamper with machine learning training data, meaning algorithms learn from this corrupted data, resulting in ineffective, compromised, and even harmful models.
Reinventing Software Supply Chain Security
With AnyTree, any mutations of your code, down to every dependency, as well as operations, including builds and every artifact, are logged, timestamped, signed, and verified by Executable Distributed Ledger Technology (eDLT).
AnyTree secures not only your builds, but also the source code itself, because GOSH is the only (as per our knowledge) formally verified git implementation. Every single object in code delivered by AnyTree is wrapped in a special executable ontology object, making AnyTree an unparalleled tool to allow businesses to log, and clearly tell what they are deploying where.
Preventive security measures employed by AnyTree guard against unwanted code, even in statically linked dependencies. They also ensure the security of your delivery before the container is built. With AnyTree, you can verify the package contents and the methods and materials used in its construction.
AnyTree’s robust cryptographic proofs ensure the immutability, attribution, and objective timestamping of all artifacts in your delivery process. This means software distributed through AnyTree is:
Secured at the source, with all dependencies, build, and compiler environments
Built in isolation, and cryptographically signed and timestamped
Based on GOSH's pioneering Deep SBOM technology, which extends the SBOM surface to all build environments, and describes not only what but also how something was built
This means that when you use AnyTree, whatever apps developers distribute or use, are delivered exactly as they are intended to be — code developers didn’t write is never included.
Deep SBOM extends the SBOM surface to include all build environments. It is impossible to inject malicious commits backwards on GOSH, and very hard to miss dependency tampering during the CI/CD process when using Deep SBOM.
Integrating GOSH Builder with AnyTree can prove builds on a developer machine and a server (or a cloud) are identical. GOSH Builder uses signed declarative build descriptions which include all dependencies within their environments, and have full control over the build process. GOSH Builder isolates builds, only giving access to immutable components. The resulting container or package can be fully validated versus sources and build environments with consistently reproducible results. They also include objective timestamps securing not only the source and resulting build but also the process itself.
Empowering Secure Software Distribution with AnyTree
As an Executable Distributed Ledger Technology (eDLT), AnyTree provides concrete cryptographic guarantees when storing git objects, and tracing software. It enables you to confirm whether or not a software came from GOSH. If it didn't, it alerts the developer.
Consider package delivery, a potential attack vector in the software supply chain. AnyTree's cryptographic guarantees allow you to secure the delivery of any package you use today without changing your delivery methods.
AnyTree works with almost any package manager, user, or server applications. Whether you are using NPM, Brew, APK, or any other package manager, AnyTree facilitates their secure delivery.
Conclusion
In conclusion, GOSH AnyTree stands as an answer to the escalating challenges in securing software supply chains. Recognizing the increasing threat posed by software supply chain attacks and their financial and product security implications, AnyTree provides a comprehensive, robust solution for developers and businesses by securing code at the source, guarding against unwanted code, and ensuring the security of software delivery. AnyTree is easily integrated into existing delivery methods without alteration, so businesses can accurately log, verify, and safely distribute their software products with minimal changes to workflows.
Whether the threat comes from data poisoning or dependency tampering, AnyTree's robust cryptographic proofs and pioneering Deep SBOM technology offer a level of protection heretofore elusive to businesses that usually rely on a wide variety of tools and plugins that are difficult to manage, and often work only by verifying software after it has already been delivered. With AnyTree, developers and businesses have a single tool that ensures their software supply chain's security, integrity, and traceability during the development process, and at any point in delivery; meaning what you deploy is exactly as it is intended to be, without surprises or threats from unknown or unwanted sources. This not only guarantees the security of the software supply chain but also contributes to substantial cost savings by mitigating the risk of cyberattacks. AnyTree represents a significant step forward in creating a safer, more reliable software development and distribution environment in the face of evolving cyber threats.
If you would like to learn more about AnyTree for your business and secure your software supply chain: