Software Supply Chains Risk

Attackers hacking the “path to production”


Orion Software Build system based on Teamcity was compromised. Found build agents and deployed malicious DLL. Initially snuck deadcode into a release. Once they were able to verify that their code made it into a release, they replaced that with code they wanted to run. No source code comprimise, used an injected DLL into the build agents. Discovered by Fireeye: writeup here

Software & Tools

SLSA - Supply Chain Levels for Software artifacts

Youtube: 8RT5bf6wEJk


3 boundaries:

  1. Source Control System
  2. Build System
  3. Use boundary


  1. Documentation of the build Progress - unsigned provenance
  2. Temper resistance of the build service - hosted source/build, signed provenance
  3. Prevents extra resistancwe to specific threats. Security controls on host, non-falsifiable provenance
  4. Highest Levels of confidence and trust - two-party review + hermetic builds


Tern is a software package inspection tool that can create a Software Bill of Materials (SBOM) for containers. It’s written in Python3 with a smattering of shell scripts


OPA for vuln analysis -


sigstore - sigstore empowers software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored in a tamper-resistant public log.


fulcio is a free Root-CA for code signing certs - issuing certificates based on an OIDC email address. fulcio only signs short-lived certificates that are valid for under 20 minutes.


Falco, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Falco is the first runtime security project to join CNCF as an incubation-level project. Falco acts as a security camera detecting unexpected behavior, intrusions, and data theft in real time.


Executive Order 14028

Improving the Nation’s Cybersecurity directs NIST to publish a variety of guidance that would enhance software supply chain security


Term Definition
Attestation the action of being a witness to or formally certifying something
SCA Software Composition analysis
BAB Binary Authz for Borg - Google Code Provenance and code identity
Typosquatting Registering a package with a very easy type, in the hopes it is picked up and used as a software dependency
SBOM Software Bill of Materials
Provenance where did this software come from? How can that be verified?
SLSA Supply Chain Levels for Software Artifacts. Framework for grading supply chain confidence


Related Notes