Software Supply Chain Security and Tooling
Feb 25, 2022

    Attackers hacking the “path to production”

    SUNBURST

    Orion Software Build system based on Teamcity was compromised. Found build agents and deployed malicious DLL. Initially snuck deadcode into a release. Once they were able to verify that their code made it into a release, they replaced that with code they wanted to run. No source code comprimise, used an injected DLL into the build agents. Discovered by Fireeye: writeup here

    Software & Tools

    SLSA - Supply Chain Levels for Software artifacts

    Youtube: 8RT5bf6wEJk

    Software

    3 boundaries:

    1. Source Control System
    2. Build System
    3. Use boundary

    Levels

    1. Documentation of the build Progress - unsigned provenance
    2. Temper resistance of the build service - hosted source/build, signed provenance
    3. Prevents extra resistancwe to specific threats. Security controls on host, non-falsifiable provenance
    4. Highest Levels of confidence and trust - two-party review + hermetic builds

    Tern

    Tern is a software package inspection tool that can create a Software Bill of Materials (SBOM) for containers. It’s written in Python3 with a smattering of shell scripts

    OPA

    OPA for vuln analysis - https://www.openpolicyagent.org/

    Sigstore

    sigstore - sigstore empowers software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored in a tamper-resistant public log.

    Fulcio

    fulcio is a free Root-CA for code signing certs - issuing certificates based on an OIDC email address. fulcio only signs short-lived certificates that are valid for under 20 minutes.

    Falco

    Falco, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Falco is the first runtime security project to join CNCF as an incubation-level project. Falco acts as a security camera detecting unexpected behavior, intrusions, and data theft in real time.

    Government

    Executive Order 14028

    Improving the Nation’s Cybersecurity directs NIST to publish a variety of guidance that would enhance software supply chain security

    Terms

    TermDefinition
    Attestationthe action of being a witness to or formally certifying something
    SCASoftware Composition analysis
    BABBinary Authz for Borg - Google Code Provenance and code identity
    TyposquattingRegistering a package with a very easy type, in the hopes it is picked up and used as a software dependency
    SBOMSoftware Bill of Materials
    Provenancewhere did this software come from? How can that be verified?
    SLSASupply Chain Levels for Software Artifacts. Framework for grading supply chain confidence

    Resources