Rod Boothby, Global Head of Identity at Santander, explores how the failure to verify every software developer’s digital identity, creates a backdoor for hackers, increasing the threat of ransomware and other cybersecurity risks.
Most people do not know how modern software is built. People imagine a lone brilliant developer retreating into a dark room for hours, typing furiously away on a clickity clack keyboard and eventually emerging with the next amazing app.
In reality, software development is a group effort and software engineers often build using pieces of code – usually called packages – that have been written by other developers. There is a package to create a webpage and another to access a database. In fact, there are hundreds of thousands of these pre-built packages of code.
Many of these packages depend upon other packages. For example, the package Express.js, which is used to quickly design and build web applications, depends upon 89 other packages. Collectively, there are over 100 software engineers maintaining those packages and literally tens of thousands of people who have contributed to code over the years.
Who are all these people?
99.99% of them are hard working honest decent open-source developers. But either through npm, fir Java Script, or via the package managers used by every other programming language, some hackers are using these systems to share code and create backdoors into systems.
Their code is being installed behind the firewalls of every single company in the world.
Proof of this is all the ransomware attacks that are crippling governments, pipelines, hospitals and companies.
The problem is that the online identities of these developers are not connected to real-world identities. A company can scan the open source packages they’ve installed for known risks and flaws. But, by definition, they miss zero-day attacks.
We need a system where software security teams can get more information about the code that is being installed behind their firewall. They need to see both the source code and the real-world identities of the individuals contributing that code.
How could we create such a system?
I co-chair an effort called the Open Digital Trust Initiative at the IIF. We are working with the Open-ID Foundation and GLEIF to develop open-source global standards to deliver digital identity verification services. It’s called GAIN, which stands for Global Assured Identity Network. The GAIN DIGITAL TRUST paper describes the standard.
We could build it by using banks to help verify the real world identity of developers.
Imagine if all code could be quickly and easily signed, with an assurance from a financial institution that the developer was who they claimed to be. How much easier would it be to separate the 0.01% of hackers up to no good from the other 99.99% of developers who are making the world a better place?
Join Rod Boothby, and 100 other rockstar speakers at Future Identity Festival 2021, London.
