Efforts to secure WordPress and Composer tracked on new website

Gossamer Project aims to defend open source projects against SolarWinds-style supply chain attacks

The software supply chain attack against IT infrastructure vendor SolarWinds last year has served to revive interest in technologies that might mitigate against this kind of attack.

Last month, the attack impacted numerous federal government agencies as well as Microsoft and threat detection firm FireEye.

One promising project aiming to prevent such incidents is Gossamer, which is billed as offering supply chain security for open source software.

Gossamer uses a combination of cryptographic signatures and transparency logs in order to safeguard software updates from tampering by making any malfeasance apparent.

Transactions (such as issuing an update or adding a software signing key) are published on an append-only cryptographic ledger. The technology offers a means to verify who released an update as well as its authenticity.

Tainted supplies

SolarWinds’ Orion software update platform was compromised in or around March 2020, nine months before the problem was detected by FireEye in December.

Previous software supply chain attacks have included the infection of the M.E.Doc tax and financial reporting package mandated by the Ukrainian government with NotPetya, a destructive strain of malware back in 2017.

The NotPetya attack disrupted the operation of multiple international firms and caused millions of dollars of damages with victims including FedEx and shipping giant Maersk.

Paragon Initiative Enterprises (PIE), the PHP security and applied cryptography experts behind the technology, foresees a variety of use cases for the technology, including in WordPress’ Automatic Updates for Themes and Plugins, Composer (the PHP dependency manager), and NPM (the Node.js dependency manager).

The development of Gossamer long predates SolarWinds which nonetheless serves as a “grim reminder” of the type of vulnerabilities IT suppliers are face with, PIE told The Daily Swig.

Significant revisions

As this timeline illustrates, the genesis of the Gossamer project dates way back to July 2014. The project has gone through numerous significant revisions in the six and a half years since its inception.

Earlier this month, PIE launched a website to track the multiple ongoing parallel efforts to secure WordPress and Composer with Gossamer integration.

The developer tools aspect of the project is described as two-thirds complete and “in progress”, whilst WordPress and Composer integration are both pending.

Asked to explain how Gossamer projected against SolarWinds-like software supply chain attacks, a spokesperson for PIE told The Daily Swig: “The mechanism in Gossamer that helps with a SolarWinds-like attack is the attestations, which were specified in libgossamer in 2019.”


Read more of the latest secure development news


Attestations allow third-party providers to assert some property about other software updates published by other providers.

The spokesperson added: "Our focus for 2021 is WordPress then Composer. We'll look at NPM/Maven/etc. in 2022 if successful."

A roadmap for the project explains that the "ultimate goal of Gossamer is to ensure that PHP and WordPress developers have the capability of signing their open source software and verifying that the dependencies they install from third-party developers is authentic.”

“When we have succeeded at securing the PHP ecosystem, we intend to assist other ecosystems (eg Java, Node.js, Python, Ruby) in securing their open source software supply chains.”


RELATED Microsoft downplays threat after admitting SolarWinds hackers access source code