Securing Supply Chains

Transcript

1. SECURING SUPPLY CHAIN 2022.3.29 OWASP SAITAMA MTG #7, TALK #1

2. TEXT SESSION FLAGS ▸ ࿥Իɾ࿥ըɾ಺༰ެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) 
 https://keybase.io/alterakey

   ▸ Monolith Works Inc. 
 Co-founder, CTO 
 Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ 
 ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps 
 →Financial, Games, IoT related, etc. (>200) 
 →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps 
 →POS, RAD tools etc. ▸ Network/Web penetration testing 
 →PCI-DSS etc. ▸ Search engine reconnaissance 
 (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ 
 DEF CON 25 Demo Labs (2017) 
 DEF CON 27 AI Village (2019) 
 CODE BLUE (2017, 2019) 
 CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. TEXT BACKGROUND ▸ ϩγΞʹΑΔ΢ΫϥΠφ৵߈ ▸ ࠃࡍࣾձ͔Βͷඇ೉ ▸ ࠃࡍࣾձʹΑΔܦࡁ੍ࡋ ▸ SWIFTഉআ

   ▸ ૹۚɾ༌ग़੍ݶڧԽ ▸ ࢿ࢈ౚ݁ etc. Image by Travis Wiens on flickr, CC-BY-NC-ND 2.0

7. TEXT BACKGROUND ▸ ϩγΞʹΑΔ΢ΫϥΠφ৵߈ ▸ ൓ઓσϞ ▸ protestware … ?

   Image by Travis Wiens on flickr, CC-BY-NC-ND 2.0

8. TEXT “PROTESTWARE” ▸ ߅ٞ׆ಈΛߦͳ͏ιϑτ΢ΣΞͷ૯শ ▸ ͍ΘΏΔϩδοΫϘϜ ▸ ϝοηʔδΛදࣔɺ׆ಈΛఀࢭ͢Δ: 
 →Marak

   Squiresࢯࣄ݅: faker.js, colors.js ▸ ഁյ׆ಈΛߦͳ͏: 
 →node-ipc 
 →͍ΘΏΔʮαΠόʔฌثʯͱಉ͡ଆ໘ Image by Chad Davis on flickr, CC-BY-SA 2.0

9. TEXT “PROTESTWARE” ▸ จԽతͳഎܠ΋͋ΔՄೳੑ ▸ core.js, jss, nodemon, styled-components, pouchdb

   … terminal͸޿ࠂεϖʔεͳͷ͔ʁ ▸ ࿦ٞΛݺΜͰ͍Δ ▸ Funding (ad library): 
 https://github.com/feross/funding ▸ CLI ad blocker: 
 https://github.com/kethinov/no-cli-ads Image by Chad Davis on flickr, CC-BY-SA 2.0

10. TEXT DEPENDENCY MANAGEMENT ▸ ґଘؔ܎ ▸ ϓϩάϥϜ͕࢖༻͢ΔϥΠϒϥϦҰൠ ▸ ࡢࠓ͸ύοέʔδγεςϜʹΑΔ؅ཧ ▸

    Python: pip etc. ▸ JS: npm, yarn, etc. ▸ ๲ு܏޲ 
 ಛʹJSͰφϊύοέʔδͷ࢖༻܏޲ Image by keso s on flickr, CC-BY-NC-ND 2.0

11. TEXT SUPPLY CHAIN ATTACKS ▸ ґଘؔ܎Λૂͬͨ߈ܸ ▸ ϥΠϒϥϦ໊ͷଧͪؒҧ͍ ▸ είʔϓ಺ϥΠϒϥϦͷԣऔΓ

    ▸ ։ൃऀΞΧ΢ϯτୣऔʹΑΔෆద੾ͳվม ▸ ։ൃऀࣗ਎ʹΑΔෆద੾ͳվมʢˠཪ੾Γʣ Image by Richard Says on flickr, CC-BY-NC-ND 2.0

12. TEXT TYPOSQUATTING ▸ ϥΠϒϥϦ໊ͷଧͪؒҧ͍ ▸ ࣅ໊ͨલΛregister͓ͯ͘͠, ྫ) ▸ cross-env (←crossenv)

    ▸ python3-dateutil (←python-dateutil) ▸ aiosocks5 (←aiosocks) ▸ etc. Image by XJ on flickr, CC-BY-NC 2.0

13. TEXT DEPENDENCY CONFUSION ▸ είʔϓ಺ϥΠϒϥϦͷԣऔΓ ▸ ಉ໊ͰύϒϦοΫεϖʔεʹregister, ྫ) ▸ core-tracing

    (←@azure/…) ▸ ࣾ಺ϥΠϒϥϦ ▸ etc. Image by MShukla Photography on flickr, CC-BY-NC-ND 2.0

14. TEXT ACCOUNT TAKEOVER ▸ ύοέʔδͷ੍ޚΛୣऔ͠ෆਖ਼ίʔυΛૠೖ ▸ coa (2018) ▸ 2818ͷnpmΞΧ΢ϯτʹ͓͍ͯ

    
 ظݶ੾ΕϝʔϧΞυϨεͷ࢖༻ ▸ npm/PyPIʹ͓͚Δ੬ऑੑͷଘࡏ Image by Tim Vrtiska on flickr, CC-BY-ND 2.0

15. TEXT DELIBRATE SABOTAGE ▸ ϝϯςφࣗ਎͕ෆਖ਼ίʔυΛૠೖ ▸ faker.js, colors.js ▸ node-ipc

    Image by Nurettin Mert Ardin on flickr, CC-BY-NC-ND 2.0

16. TEXT CLEANING..? ▸ मཏ৔… ড়Խʹ޲͚ͨऔΓ૊Έ͸: ▸ JS: ύοέʔδͷใࠂ 
 φϊύοέʔδओ؟ͷ࡟আਪ঑ࣄۀ·Ͱ

    ▸ Python: ใࠂػߏ͸ͳ͍͕ɺͨ·ʹҰ੪ఠൃ ▸ པΕΔ΋ͷͰ͸ͳ͍ˠࣗӴ͕ඞཁ Image by ryan harvey on flickr, CC-BY-SA 2.0

17. TEXT DEFENSIVE MEASURES ▸ Typosquatting/account takeover/sabotage: ▸ SBOM (Software Bill

    of Materials) ▸ pin͞Εͨdependency graph ▸ Python: poetry / pip-tools ▸ JS: package lock + npm ci Image by Jazz DiMauro on flickr, CC-BY-NC-ND 2.0

18. TEXT PYTHON: POETRY ▸ ৽͍͠ύοέʔδγεςϜ ▸ pyproject.toml ▸ ґଘؔ܎؅ཧ ▸

    venvͷ؅ཧ ▸ ϓϩδΣΫτςϯϓϨੜ੒ etc, etc. ▸ All in one; ֓Ͷ޷ධՁ

19. TEXT PYTHON: PIP-TOOLS ▸ pip-compile / pip-sync ▸ όʔδϣϯΛݻఆͨ͠requirements.txtޓ׵ 


    ϑΝΠϧΛੜ੒ɾద༻ 
 →pip freezeͰ΋Ͱ͖Δ͕࢖͍ʹ͔ͬͨ͘… ▸ pip 8.0Ҏ߱༻ʹhashݻఆ΋Ͱ͖Δ ▸ pyproject.tomlʹ΋ରԠ͍ͯ͠Δ 
 ʢˠpoertyΛ࢖͍ͨ͘ͳ͍৔߹ͷٹੈओʣ

20. TEXT JS: PACKAGE LOCK + NPM CI ▸ npm ci:

    lock fi leʹैͬͯΠϯετʔϧ

21. TEXT DEFENSIVE MEASURES ▸ Dependency confusion ▸ SBOM + Private

    index͕͋Δ৔߹༏ઌར༻ ▸ Private index ▸ Python: private-pypi etc. ▸ JS: verdaccio etc. Image by Jazz DiMauro on flickr, CC-BY-NC-ND 2.0

22. TEXT AUDITING MEASURES ▸ SBOMʹର͢Δ੬ऑੑղੳɾվमఏҊ ▸ Python: pip-audit ▸ JS:

    npm audit Image by EGUE on flickr, CC-BY-NC-ND 2.0

23. TEXT TAKEAWAYS ▸ FLOSSΤίγεςϜʹજΉ໰୊ ▸ جຊతʹળҙͰ੒Γཱ͍ͬͯΔ ▸ ΤίγεςϜͷ໰୊Λಥ͍ͨ߈ܸ͕ 
 αϓϥΠνΣʔϯ߈ܸ

    ▸ typosquatting ▸ dep. confusion ▸ Account takeover ▸ Delibrate sabotage Image by Richard Says on flickr, CC-BY-NC-ND 2.0

24. TEXT TAKEAWAYS ▸ SBOMͷਖ਼֬ͳ೺Ѳɾϝϯςφϯε͕େࣄ ▸ SBOM: pin͞Εͨdependency graph ▸ Private

    indexΛ࢖͏ͳΒ͍ͭͰ΋࠷༏ઌʹ ▸ ࣄނ΋͕͋ͬͨπʔϧνΣΠϯ΋ͦΖ͖ͬͯͨ ▸ Python: pip-tools / poetry ▸ JS: package lock + npm ci Image by Jazz DiMauro on flickr, CC-BY-NC-ND 2.0

25. FIN. 2022.3.29 TAKAHIRO YOSHIMURA (@ALTERAKEY)