Enterprise Data Science
How Anaconda Is Rallying to Protect Commercial Users From Cybersecurity Threats
Apr 28, 2022By Team Anaconda
“You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time—your vigilance and urgency today can prevent or mitigate attacks tomorrow.”
So says President Biden in a recent statement on America’s cybersecurity. The statement was made to warn those in the technology sector—public and private—against potential malicious Russian cyber activity following economic sanctions the U.S. has imposed on Russia in response to the ongoing conflict in Ukraine. Alongside this threat, the open-source community has witnessed the introduction of “peacenotwar,” a package containing malicious code originally intended to harm users with IP addresses in Russia or Belarus. Looked at in conjunction with the field testing of cyber weapons, the use of such protestware serves as a solid demonstration of the gaps available for exploitation by malicious actors. The proliferation of cybersecurity weapons is a historical pattern, indicating that attacks may accelerate in coming years.
The true reach of malware is nearly impossible to control or predict, and thus is a threat to the free and open-source software (FOSS) that’s foundational to tech stacks across a multitude of industries. In order to safeguard their digital domains and preserve the affordability, flexibility, and limitless technological advancement opportunities affiliated with open source, companies must place more emphasis on security than ever before. And in order to support this push for fortification, entities within the technology and open-source spaces who possess the resources to build increasingly sophisticated security features into their products have a responsibility to do so.
We at Anaconda have always maintained a commitment to security, as evidenced by product releases like Conda Signature Verification, CVE Curation, and more. We’ve also leveraged our role as a data science thought leader to discuss the importance of open-source security and how to approach it. The aforementioned world events, however, have the nation ringing with the demand for more security, better security, and fast—and Anaconda is answering the call. Here are a few of the ways we are rallying to fortify our products and services and protect commercial users amidst current cybersecurity threats.
1. We are increasing our focus on cloud-based solutions.
We recently launched Anaconda Business, a new cloud-based offering that allows companies to reduce open-source vulnerability risk at the source, ensure open-source licensing compliance, and access and distribute approved-only packages for use across their teams. We are happy to expand access to Anaconda’s curated, high-fidelity security information to help more customers secure their open-source pipelines in the cloud.
2. We are transforming an open-source project into an advanced vulnerability scanner.
Gathering information about dependencies and the changes they can transitively introduce can help teams decide if specific dependencies are “safe” for use. At Anaconda, we are building tools like Scorecards and deps.dev so users can evaluate dependencies in order to assess risk and corresponding transitive changes.
3. We are investing more resources into CVE curation.
In this Biden-Harris Administration fact sheet, companies are encouraged to “make sure that [their] systems are patched and protected against all known vulnerabilities.” Anaconda is continuing to help customers identify and manage vulnerabilities through CVE curation.
While curating open-source CVEs to generate actionable and high-fidelity security reports is a time-consuming endeavor—which is probably why this service isn’t provided in abundance—Anaconda believes it is of the utmost importance. As such, we provide human CVE curation to support the continued use of open source for our customer base. Anaconda’s curation team reviews flagged packages with CVEs reported by the NVD, curates a CVE status and score, then updates the CVE and notifies users that the newest version is patched and safe to use.
4. We are generating a Software Bills of Materials (SBOM) for tools and services.
Anaconda generates SBOMs for customers in accordance with evolving security standards and best practices around the use of open source in sensitive environments. Built in accordance with Software Package Data Exchange (SPDX) specifications, our SBOMs are important because they provide visibility into software components, facilitating awareness of potential risk factors and quicker reaction times should an issue arise.
5. We are adopting a zero-trust approach to our network.
Our team is working hard to safeguard Anaconda infrastructure and build processes. While Conda Signature Verification (our end-to-end chain-of-trust token) already enables users to verify that packages installed from our professional repository are exactly as built on Anaconda’s secure build networks, we have simultaneously adopted a remote-first culture. As our package build and infrastructure teams grow in size in distributed locations, we are investing additional resources to streamline the number of human touch points between package inception and package install.
Additionally, ISO 27001 certification is coming to Anaconda in the next few months.
6. We are offering free security consultations.
For a limited time, Anaconda is offering free 30-minute security consultations! These expert-led consultations include a pre-call survey followed by an analysis of the organization’s current situation, a rundown of security best practices, and suggested next steps in keeping with those best practices.
Click here to schedule a free consultation.
Doubling down on cybersecurity in order to protect the nation’s digital interests and preserve access to open-source innovation is no small feat, but we will continue to work with our customers to do just that. In what can feel like a maze of complexities surrounding open-source vulnerabilities and technology sector threats, Anaconda remains committed to imbuing our products and services with simplicity, ease, and, of course, security, for the benefit of our entire community. Keep an eye on our blog for further news as we continue to adapt to the evolving cybersecurity landscape.