Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Flaming Hot SLSA!

Flaming Hot SLSA!

The Supply-Chain Levels for Software Artifacts is a great way to benchmark an organization's Supply-Chain Security. In this age of rising supply-chain attacks, it becomes imperative for organizations to approach Supply-Chain Security with a practical yet, comprehensive approach. I strongly believe the SLSA is useful for companies to get there.

This is a slide-deck of a talk I gave to the engineering team at Github. As part of their Day of Learning

Abhay Bhargav

October 24, 2022
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Flaming Hot SLSA! Abhay

    Bhargav
  2. abhaybhargav Yours Truly • Founder @ AppSecEngineer • Cloud and

    AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide
  3. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Agenda • The Supply-Chain

    Problem • Real-world examples of Supply-Chain Attacks • SLSA - A possible solution • SLSA Levels • Conclusions
  4. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  5. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  6. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  7. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  8. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  9. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  10. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  11. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  12. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle

  13. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle

  14. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules
  15. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules Poisoned Pipeline Build Manipulation Build System Compromise
  16. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules Poisoned Pipeline Build Manipulation Build System Compromise Dependency Confusion Dependency Tampering Tainted nested Dependencies
  17. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules Poisoned Pipeline Build Manipulation Build System Compromise Dependency Confusion Dependency Tampering Tainted nested Dependencies Package Integrity Attacks Malicious/Vulnerable Base Images Hash Switch Attacks
  18. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Real-World Supply-Chain Attacks

  19. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  20. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  21. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  22. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  23. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  24. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  25. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  26. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  27. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  28. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  29. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  30. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer CI/CD Security Top 10

  31. Risks - Unsigned Container Images

  32. Malicious Terraform Modules

  33. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Gitlab Includes Attack

  34. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Terminology

  35. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer More Terminology

  36. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Levels

  37. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Purpose of SLSA •

    Secure from tampering • Good practices • Incremental • Automatically veri fi able
  38. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance

  39. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced
  40. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced • Provenance goes stricter and deeper in higher SLSA Levels
  41. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced • Provenance goes stricter and deeper in higher SLSA Levels • Single or Multiple Subjects being built
  42. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced • Provenance goes stricter and deeper in higher SLSA Levels • Single or Multiple Subjects being built Provenance is an attestation that a builder produced one or more software artifacts or subjects, 
 using some other artifacts as input (materials) By executing some invocation that runs a buildCon fi g, 
 which is a record of what was executed. 
 
 The builder is trusted to have faithfully recorded the 
 provenance. It may even have been performed at the request 
 of an external, possibly untrusted entity. These parameters are 
 captured in the invocation’s parameters and 
 some of the materials The build may have depended on various environmental 
 parameters (environment) that are needed for reproducing the 
 build.
  43. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance

  44. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here?
  45. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM
  46. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM
  47. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM SBOM
  48. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM SBOM Sig
  49. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM SBOM Sig Sig
  50. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM SBOM Sig Sig Sig
  51. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 0

  52. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 0

  53. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 1 •

    Scripted Build • Automated Provenance Generation • Identi fi es Artifact, Builder and Instructions
  54. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Implementation: Level 1

  55. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 2 •

    Level 1 + • Authenticated Provenance: with Signatures • Provenance generated by Build Service • Build Service
  56. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Implementation: SLSA Level 2

  57. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Demo - Container SBOM

    + Cosign
  58. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 3 •

    Level 2+ • Build-as-code • Ephemeral Environment • Isolated • Non-Falsi fi able • Veri fi able History • Retained Inde fi nitely - 18 months
  59. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 3

  60. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Keyless Cosign

  61. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 4 •

    Level 3 + • Parameterless • Hermetic Builds • Completed Dependencies • Hardened Build Environments • Two Person Source Review
  62. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Implementation: SLSA Level 4