Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Flaming Hot SLSA!

Flaming Hot SLSA!

The Supply-Chain Levels for Software Artifacts is a great way to benchmark an organization's Supply-Chain Security. In this age of rising supply-chain attacks, it becomes imperative for organizations to approach Supply-Chain Security with a practical yet, comprehensive approach. I strongly believe the SLSA is useful for companies to get there.

This is a slide-deck of a talk I gave to the engineering team at Github. As part of their Day of Learning

Abhay Bhargav

October 24, 2022
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. abhaybhargav Yours Truly • Founder @ AppSecEngineer • Cloud and

    AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide
  2. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Agenda • The Supply-Chain

    Problem • Real-world examples of Supply-Chain Attacks • SLSA - A possible solution • SLSA Levels • Conclusions
  3. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules Poisoned Pipeline Build Manipulation Build System Compromise
  4. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules Poisoned Pipeline Build Manipulation Build System Compromise Dependency Confusion Dependency Tampering Tainted nested Dependencies
  5. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules Poisoned Pipeline Build Manipulation Build System Compromise Dependency Confusion Dependency Tampering Tainted nested Dependencies Package Integrity Attacks Malicious/Vulnerable Base Images Hash Switch Attacks
  6. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Purpose of SLSA •

    Secure from tampering • Good practices • Incremental • Automatically veri fi able
  7. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced • Provenance goes stricter and deeper in higher SLSA Levels
  8. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced • Provenance goes stricter and deeper in higher SLSA Levels • Single or Multiple Subjects being built
  9. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced • Provenance goes stricter and deeper in higher SLSA Levels • Single or Multiple Subjects being built Provenance is an attestation that a builder produced one or more software artifacts or subjects, 
 using some other artifacts as input (materials) By executing some invocation that runs a buildCon fi g, 
 which is a record of what was executed. 
 
 The builder is trusted to have faithfully recorded the 
 provenance. It may even have been performed at the request 
 of an external, possibly untrusted entity. These parameters are 
 captured in the invocation’s parameters and 
 some of the materials The build may have depended on various environmental 
 parameters (environment) that are needed for reproducing the 
 build.
  10. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 1 •

    Scripted Build • Automated Provenance Generation • Identi fi es Artifact, Builder and Instructions
  11. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 2 •

    Level 1 + • Authenticated Provenance: with Signatures • Provenance generated by Build Service • Build Service
  12. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 3 •

    Level 2+ • Build-as-code • Ephemeral Environment • Isolated • Non-Falsi fi able • Veri fi able History • Retained Inde fi nitely - 18 months
  13. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 4 •

    Level 3 + • Parameterless • Hermetic Builds • Completed Dependencies • Hardened Build Environments • Two Person Source Review