$30 off During Our Annual Pro Sale. View Details »

Flaming Hot SLSA!

Flaming Hot SLSA!

The Supply-Chain Levels for Software Artifacts is a great way to benchmark an organization's Supply-Chain Security. In this age of rising supply-chain attacks, it becomes imperative for organizations to approach Supply-Chain Security with a practical yet, comprehensive approach. I strongly believe the SLSA is useful for companies to get there.

This is a slide-deck of a talk I gave to the engineering team at Github. As part of their Day of Learning

Abhay Bhargav

October 24, 2022
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Flaming Hot SLSA!
    Abhay Bhargav

    View Slide

  2. abhaybhargav
    Yours Truly
    • Founder @ AppSecEngineer


    • Cloud and AppSec Automation Junkie


    • Trainer/Speaker at DEF CON, BlackHat,
    OWASP Events, etc world-wide


    • Co-author of Secure Java For Web
    Application Development


    • Author of PCI Compliance: A De
    fi
    nitive
    Guide

    View Slide

  3. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Agenda
    • The Supply-Chain Problem


    • Real-world examples of Supply-Chain Attacks


    • SLSA - A possible solution


    • SLSA Levels


    • Conclusions

    View Slide

  4. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    My talk today…

    View Slide

  5. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    My talk today…

    View Slide

  6. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    My talk today…

    View Slide

  7. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    My talk today…

    View Slide

  8. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    My talk today…

    View Slide

  9. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    My talk today…

    View Slide

  10. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    My talk today…

    View Slide

  11. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    My talk today…

    View Slide

  12. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Supply-Chain Lifecycle

    View Slide

  13. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Supply-Chain Lifecycle

    View Slide

  14. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Supply-Chain Lifecycle
    Dependency Confusion


    Malicious Git Hooks


    Malicious Terraform Modules

    View Slide

  15. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Supply-Chain Lifecycle
    Dependency Confusion


    Malicious Git Hooks


    Malicious Terraform Modules
    Poisoned Pipeline


    Build Manipulation


    Build System Compromise

    View Slide

  16. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Supply-Chain Lifecycle
    Dependency Confusion


    Malicious Git Hooks


    Malicious Terraform Modules
    Poisoned Pipeline


    Build Manipulation


    Build System Compromise
    Dependency Confusion


    Dependency Tampering


    Tainted nested Dependencies

    View Slide

  17. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Supply-Chain Lifecycle
    Dependency Confusion


    Malicious Git Hooks


    Malicious Terraform Modules
    Poisoned Pipeline


    Build Manipulation


    Build System Compromise
    Dependency Confusion


    Dependency Tampering


    Tainted nested Dependencies
    Package Integrity Attacks


    Malicious/Vulnerable Base Images


    Hash Switch Attacks

    View Slide

  18. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Real-World Supply-Chain
    Attacks

    View Slide

  19. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  20. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  21. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  22. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  23. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  24. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  25. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  26. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  27. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  28. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  29. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Stories of Compromise

    View Slide

  30. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    CI/CD Security Top 10

    View Slide

  31. Risks - Unsigned Container Images

    View Slide

  32. Malicious Terraform Modules

    View Slide

  33. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Gitlab Includes Attack

    View Slide

  34. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Terminology

    View Slide

  35. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    More Terminology

    View Slide

  36. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    SLSA Levels

    View Slide

  37. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Purpose of SLSA
    • Secure from tampering


    • Good practices


    • Incremental


    • Automatically veri
    fi
    able

    View Slide

  38. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Provenance

    View Slide

  39. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Provenance
    • Describes HOW an artifact/set of
    artefacts was produced

    View Slide

  40. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Provenance
    • Describes HOW an artifact/set of
    artefacts was produced
    • Provenance goes stricter and deeper
    in higher SLSA Levels

    View Slide

  41. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Provenance
    • Describes HOW an artifact/set of
    artefacts was produced
    • Provenance goes stricter and deeper
    in higher SLSA Levels
    • Single or Multiple Subjects being built

    View Slide

  42. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Provenance
    • Describes HOW an artifact/set of
    artefacts was produced
    • Provenance goes stricter and deeper
    in higher SLSA Levels
    • Single or Multiple Subjects being built
    Provenance is an attestation that a builder


    produced one or more software artifacts or subjects,

    using some other artifacts as input (materials)


    By executing some invocation that runs a buildCon
    fi
    g,

    which is a record of what was executed.


    The builder is trusted to have faithfully recorded the

    provenance. It may even have been performed at the request

    of an external, possibly untrusted entity. These parameters are

    captured in the invocation’s parameters and

    some of the materials


    The build may have depended on various environmental

    parameters (environment) that are needed for reproducing the

    build.

    View Slide

  43. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Provenance

    View Slide

  44. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    How does SBOM fit in here?

    View Slide

  45. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    How does SBOM fit in here?
    SBOM

    View Slide

  46. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    How does SBOM fit in here?
    SBOM
    SBOM

    View Slide

  47. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    How does SBOM fit in here?
    SBOM
    SBOM
    SBOM

    View Slide

  48. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    How does SBOM fit in here?
    SBOM
    SBOM
    SBOM
    Sig

    View Slide

  49. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    How does SBOM fit in here?
    SBOM
    SBOM
    SBOM
    Sig
    Sig

    View Slide

  50. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    How does SBOM fit in here?
    SBOM
    SBOM
    SBOM
    Sig
    Sig
    Sig

    View Slide

  51. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    SLSA Level 0

    View Slide

  52. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    SLSA Level 0

    View Slide

  53. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    SLSA Level 1
    • Scripted Build


    • Automated Provenance Generation


    • Identi
    fi
    es Artifact, Builder and
    Instructions

    View Slide

  54. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Implementation: Level 1

    View Slide

  55. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    SLSA Level 2
    • Level 1 +


    • Authenticated Provenance: with
    Signatures


    • Provenance generated by Build
    Service


    • Build Service

    View Slide

  56. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Implementation: SLSA Level 2

    View Slide

  57. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Demo - Container SBOM + Cosign

    View Slide

  58. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    SLSA Level 3
    • Level 2+


    • Build-as-code


    • Ephemeral Environment


    • Isolated


    • Non-Falsi
    fi
    able


    • Veri
    fi
    able History


    • Retained Inde
    fi
    nitely - 18 months

    View Slide

  59. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    SLSA Level 3

    View Slide

  60. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Keyless Cosign

    View Slide

  61. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    SLSA Level 4
    • Level 3 +


    • Parameterless


    • Hermetic Builds


    • Completed Dependencies


    • Hardened Build Environments


    • Two Person Source Review

    View Slide

  62. Copyright © AppSecEngineer 2022
    abhaybhargav AppSecEngineer
    Implementation: SLSA Level 4

    View Slide