Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Flaming Hot SLSA!

Abhay Bhargav
October 24, 2022
Technology
1
620

Flaming Hot SLSA!

The Supply-Chain Levels for Software Artifacts is a great way to benchmark an organization's Supply-Chain Security. In this age of rising supply-chain attacks, it becomes imperative for organizations to approach Supply-Chain Security with a practical yet, comprehensive approach. I strongly believe the SLSA is useful for companies to get there.

This is a slide-deck of a talk I gave to the engineering team at Github. As part of their Day of Learning

Abhay Bhargav

October 24, 2022
Tweet

More Decks by Abhay Bhargav

See All by Abhay Bhargav
Secure by Design - Across the Stack
abhaybhargav
0
140
Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav
abhaybhargav
0
610
SecAppDev - Fantastic API Security Vulnerabilities and where to find them
abhaybhargav
1
100
SecAppDev 2022 - Everything as code
abhaybhargav
0
130
Hook, Line and Sinker - Pillaging API Webhooks
abhaybhargav
0
810
DevSecOops - Stories of DevSecOps Failures and Success
abhaybhargav
0
1.6k
Practical DevSecOps Pipelines
abhaybhargav
1
350
A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle
abhaybhargav
0
300
Agile Threat Modeling-as-Code
abhaybhargav
2
730

Other Decks in Technology

See All in Technology
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
720
フルカイテン株式会社 採用資料
fullkaiten
0
40k
AGIについてChatGPTに聞いてみた
blueb
0
130
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
170
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
360
The Rise of LLMOps
asei
6
1.3k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Building Adaptive Systems
keathley
38
2.3k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Building Applications with DynamoDB
mza
90
6.1k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
860
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Building Your Own Lightsaber
phodgson
103
6.1k

Transcript

  1. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Flaming Hot SLSA! Abhay

    Bhargav

  2. abhaybhargav Yours Truly • Founder @ AppSecEngineer • Cloud and

    AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide

  3. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Agenda • The Supply-Chain

    Problem • Real-world examples of Supply-Chain Attacks • SLSA - A possible solution • SLSA Levels • Conclusions

  4. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  5. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  6. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  7. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  8. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  9. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  10. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  11. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer My talk today…

  12. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle

  13. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle

  14. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules

  15. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules Poisoned Pipeline Build Manipulation Build System Compromise

  16. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules Poisoned Pipeline Build Manipulation Build System Compromise Dependency Confusion Dependency Tampering Tainted nested Dependencies

  17. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Supply-Chain Lifecycle Dependency Confusion

    Malicious Git Hooks Malicious Terraform Modules Poisoned Pipeline Build Manipulation Build System Compromise Dependency Confusion Dependency Tampering Tainted nested Dependencies Package Integrity Attacks Malicious/Vulnerable Base Images Hash Switch Attacks

  18. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Real-World Supply-Chain Attacks

  19. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  20. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  21. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  22. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  23. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  24. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  25. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  26. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  27. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  28. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  29. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Stories of Compromise

  30. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer CI/CD Security Top 10

  31. Risks - Unsigned Container Images

  32. Malicious Terraform Modules

  33. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Gitlab Includes Attack

  34. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Terminology

  35. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer More Terminology

  36. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Levels

  37. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Purpose of SLSA •

    Secure from tampering • Good practices • Incremental • Automatically veri fi able

  38. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance

  39. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced

  40. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced • Provenance goes stricter and deeper in higher SLSA Levels

  41. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced • Provenance goes stricter and deeper in higher SLSA Levels • Single or Multiple Subjects being built

  42. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance • Describes HOW

    an artifact/set of artefacts was produced • Provenance goes stricter and deeper in higher SLSA Levels • Single or Multiple Subjects being built Provenance is an attestation that a builder produced one or more software artifacts or subjects, 
 using some other artifacts as input (materials) By executing some invocation that runs a buildCon fi g, 
 which is a record of what was executed. 
 
 The builder is trusted to have faithfully recorded the 
 provenance. It may even have been performed at the request 
 of an external, possibly untrusted entity. These parameters are 
 captured in the invocation’s parameters and 
 some of the materials The build may have depended on various environmental 
 parameters (environment) that are needed for reproducing the 
 build.

  43. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Provenance

  44. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here?

  45. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM

  46. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM

  47. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM SBOM

  48. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM SBOM Sig

  49. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM SBOM Sig Sig

  50. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer How does SBOM fit

    in here? SBOM SBOM SBOM Sig Sig Sig

  51. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 0

  52. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 0

  53. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 1 •

    Scripted Build • Automated Provenance Generation • Identi fi es Artifact, Builder and Instructions

  54. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Implementation: Level 1

  55. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 2 •

    Level 1 + • Authenticated Provenance: with Signatures • Provenance generated by Build Service • Build Service

  56. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Implementation: SLSA Level 2

  57. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Demo - Container SBOM

    + Cosign

  58. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 3 •

    Level 2+ • Build-as-code • Ephemeral Environment • Isolated • Non-Falsi fi able • Veri fi able History • Retained Inde fi nitely - 18 months

  59. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 3

  60. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Keyless Cosign

  61. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer SLSA Level 4 •

    Level 3 + • Parameterless • Hermetic Builds • Completed Dependencies • Hardened Build Environments • Two Person Source Review

  62. Copyright © AppSecEngineer 2022 abhaybhargav AppSecEngineer Implementation: SLSA Level 4