Move intended to help prevent Ruby packages from being used in supply chain attacks
RubyGems has become the latest code repository to require multi-factor authentication (MFA) for some of its largest publishers.
The package manager has started alerting the maintainers of gems with more than 165 million downloads via the RubyGems command-line tool and website, recommending that they enable MFA on their accounts.
While it’s currently just a recommendation, MFA will be enforced on these 100-odd accounts on August 15.
Securing the supply chain
“The second-most common attack on software today is supply chain attacks stemming from account access being hacked or leaked,” a member of the team tells The Daily Swig. “MFA prevents almost all of these such attacks.”
Indeed, says the team, RubyGems has been affected by supply chain attacks in the past.
The plan is to expand the requirement beyond the top maintainers over the coming months.
“We’re going to watch the rollout and address any feedback we get from the community, after which time we’ll figure out how we want to move forward,” says the team.
“Responses have been positive – we’ve seen no serious pushback to date. We’re excited that so many folks are on the same page.”
Under lock and key
The new requirement follows a similar move from GitHub, which last month announced that two-factor authentication (2FA) would be made mandatory for all code contributors by the end of next year.
The Microsoft subsidiary hailed the move as “the first and most critical step toward securing the supply chain”.
NPM, too, has been working to enforce 2FA, initially for its top 100 Node.js package maintainers, but with a broader rollout already underway.
And, says the RubyGems team member, “We are aware of other ecosystems that plan to announce similar policies in future – we don’t say who, as they are not ready to announce yet.”
However, some believe these moves do not go far enough.
“This is a minimal step in the right direction,” Jasson Casey, chief technology officer of identity management firm Beyond Identity, tells The Daily Swig.
“It can help against the simplest of attacks against developer accounts, but it’s easy enough to bypass most MFA with off-the-shelf kits like evilginx2.”
“Additionally, this does nothing to protect the integrity of authorship of source code. Finally, they should be requiring phishing-resistant MFA along with source code signing that is linked to the developer identity.”