
JFrog, a DevOps company has introduced Project Pyrsia, an open-source software community initiative that uses blockchain technology to secure software packages from vulnerabilities and malicious code.
Project Pyrsia is an open-source-based, decentralized, secure build network and software package repository aimed at helping developers establish a chain of provenance for their software components, creating greater confidence and trust.
Participants in Project Pyrsia include Docker Inc., DeployHub Inc., Shenzen Futureway Technology Co. Ltd., and Oracle Corp. With Pyrsia, developers can use open-source software knowing their components have not been compromised, without needing to build, maintain, or operate complex processes for securely managing dependencies.
Open-source software is a critical element of nearly every technology that evolves today, there’s no question that the volume, sophistication, and severity of software supply chain attacks have increased in the last year.
In recent times, JFrog Security Research team tracked more than 20 different open-source software supply chain attacks, two of which were zero-day exploits. JFrog argues that although open-source components are designed to make development more efficient, not knowing where your software comes from makes it hard-to-spot risks –seeding doubt and uncertainty about its safety.
This project integrates with package management systems developers are using so they can certify their software components without foregoing compatibility, security, or efficiency.
The project employs standards such as Sigstore’s Cosign and Notary V2, that allow developers to quickly access their containers leveraging the Pyrsia network.
By using digital signatures, developers receive an immutable chain of evidence for their code, providing peace of mind from knowing the exact source of their packages.