Software Supply Chain Security and Tooling
Feb 25, 2022
2 minute read

Attackers hacking the “path to production”

SUNBURST

Orion Software Build system based on Teamcity was compromised. Found build agents and deployed malicious DLL. Initially snuck deadcode into a release. Once they were able to verify that their code made it into a release, they replaced that with code they wanted to run. No source code comprimise, used an injected DLL into the build agents. Discovered by Fireeye: writeup here

Software & Tools

SLSA - Supply Chain Levels for Software artifacts

Youtube: 8RT5bf6wEJk

Software

3 boundaries:

  1. Source Control System
  2. Build System
  3. Use boundary

Levels

  1. Documentation of the build Progress - unsigned provenance
  2. Temper resistance of the build service - hosted source/build, signed provenance
  3. Prevents extra resistancwe to specific threats. Security controls on host, non-falsifiable provenance
  4. Highest Levels of confidence and trust - two-party review + hermetic builds

Tern

Tern is a software package inspection tool that can create a Software Bill of Materials (SBOM) for containers. It’s written in Python3 with a smattering of shell scripts

OPA

OPA for vuln analysis - https://www.openpolicyagent.org/

Sigstore

sigstore - sigstore empowers software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored in a tamper-resistant public log.

Fulcio

fulcio is a free Root-CA for code signing certs - issuing certificates based on an OIDC email address. fulcio only signs short-lived certificates that are valid for under 20 minutes.

Falco

Falco, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Falco is the first runtime security project to join CNCF as an incubation-level project. Falco acts as a security camera detecting unexpected behavior, intrusions, and data theft in real time.

Government

Executive Order 14028

Improving the Nation’s Cybersecurity directs NIST to publish a variety of guidance that would enhance software supply chain security

Terms

Term Definition
Attestation the action of being a witness to or formally certifying something
SCA Software Composition analysis
BAB Binary Authz for Borg - Google Code Provenance and code identity
Typosquatting Registering a package with a very easy type, in the hopes it is picked up and used as a software dependency
SBOM Software Bill of Materials
Provenance where did this software come from? How can that be verified?
SLSA Supply Chain Levels for Software Artifacts. Framework for grading supply chain confidence

Resources



comments powered by Disqus