Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mitigate Attacks on your PHP Supply Chain

Kévin Dunglas
May 12, 2023
Programming
2
1.6k

Mitigate Attacks on your PHP Supply Chain

When you install a JavaScript library, it usually comes with hundreds of transitive dependencies, i.e. libraries that are installed as a side effect because they are essential to the operation of the library you want to use.

This proliferation of dependencies opens the door to supply chain attacks. All it takes is for one of the repositories hosting one of these hundreds of libraries, or one of the maintainers, to be malicious, and it becomes possible to inject malware into yours, which can target you or your organization, and even the end users of your software.

As I explained back in 2018, the PHP ecosystem is slightly less susceptible to this type of attack than the JavaScript ecosystem, because maintainers of popular libraries and frameworks are relatively careful not to rely on too many third-party dependencies, which limits the problem... but doesn't totally prevent it though.

What if we could do better with our favorite library management software: Composer? During this talk, I present how supply chain attacks work, outline some organizational methods that could limit the problem, and finally, explain how to take back full control of your vendor/ folder thanks to a Composer patch I crafted for this occasion.

Kévin Dunglas

May 12, 2023
Tweet

More Decks by Kévin Dunglas

See All by Kévin Dunglas
Develop Faster With FrankenPHP
dunglas
2
3.4k
HTTP compression in PHP and Symfony apps
dunglas
3
2.6k
How to debug Xdebug... or any other weird bug in PHP
dunglas
3
2.4k
API Platform for Laravel
dunglas
1
2.2k
Containerization Tips and Tricks for PHP apps
dunglas
4
7.4k
Front-end application development, Symfony-style(s)
dunglas
2
3.7k
Running Laravel Apps With FrankenPHP
dunglas
5
4.3k
PHP and Symfony Apps As Standalone Binaries
dunglas
3
11k
Webperf: boost your PHP apps with 103 Early Hints
dunglas
3
4.9k

Other Decks in Programming

See All in Programming
Enterprise Web App. Development (1): Build Tool Training Ver. 5
knakagawa
1
120
Jakarta EE Meets AI
ivargrimstad
0
390
KANNA Android の技術的課題と取り組み
watabee
0
140
小田原でみんなで一句詠みたいな #phpcon_odawara
stefafafan
0
350
On-the-fly Suggestions of Rewriting Method Deprecations
ohbarye
1
3.8k
RubyKaigi Dev Meeting 2025
tenderlove
1
570
Making TCPSocket.new "Happy"!
coe401_
1
2.2k
Optimizing JRuby 10
headius
0
510
2ヶ月で生産性2倍、お買い物アプリ「カウシェ」4チーム同時改善の取り組み
ike002jp
1
100
「”誤った使い方をすることが困難”な設計」で良いコードの基礎を固めよう / phpcon-odawara-2025
taniguhey
0
170
Dissecting and Reconstructing Ruby Syntactic Structures
ydah
2
1.3k
監視 やばい
syossan27
11
10k

Featured

See All Featured
Facilitating Awesome Meetings
lara
54
6.3k
A designer walks into a library…
pauljervisheath
205
24k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
23
2.7k
How to Ace a Technical Interview
jacobian
276
23k
The Cult of Friendly URLs
andyhume
78
6.3k
GraphQLとの向き合い方2022年版
quramy
46
14k
Thoughts on Productivity
jonyablonski
69
4.6k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
How GitHub (no longer) Works
holman
314
140k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.4k
The Invisible Side of Design
smashingmag
299
50k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k

Transcript

  1. Mitigate Attacks on your PHP Supply Chain

  2. What Is a Supply Chain Attack? 02 03 OUTLINE 04

    01 The Scope of the Problem Mastering Composer to Mitigate Attacks Long-Term Solutions

  3. Kévin Dunglas ➔ Creator of API Platform / FrankenPHP /

    Mercure ➔ Symfony Core Team ➔ Co-founder of Les-Tilleuls.coop @dunglas

  4. ➔ PHP, JS and Cloud experts ➔ 100% employee-owned co-op

    ✊ ➔ Democratically managed 💬 ➔ contact@les-tilleuls.coop 💌 12 YEARS OF EXPERTISE 70 COOPERATORS 300 CUSTOMERS 50 PROJECTS/YEAR

  5. 02 03 04 01 What Is a Supply Chain Attack?

    Long-Term Solutions Mastering Composer to Mitigate Attacks The Scope of the Problem

  6. Supply Chain “A supply chain is a complex logistics system

    that consists of facilities that convert raw materials into finished products which are later distributed to end consumers.” - Wikipedia

  7. Software Supply Chain Anything that affects your software ➔ Your

    code ➔ Libraries and frameworks used by your code: Symfony, API Platform, Laravel, Doctrine… ➔ Package managers: Composer, NPM… ➔ Binaries: Linux distros, Docker containers… ➔ Build scripts ➔ Forges / CI/CD pipeline: GitHub, GitLab ➔ Hardware / Cloud Provider

  8. A Modern PHP App © Sebastian Bergmann - The PHP

    Stack’s Supply Chain

  9. Software Supply Chain: The Reality © xkcd/2347

  10. PHP Supply Chain: Going Further

  11. Supply Chain Attacks ➔ An attack that targets the less

    secure elements in the supply chain ➔ Can target any component of the chain • hardware: spying component • software: malware This talk will be focused on attacks targeting software, and especially PHP apps.

  12. ➔ The direct dependencies of your project • PHP libraries

    • JavaScript libraries • System binaries and libraries ➔ The transitive dependencies (dependencies of your dependencies) Most Common Supply Chain Attack Vectors

  13. Common Attack: Malicious Package

  14. Common Attack: TypoSquatting symfont/process © Sean Murphy, kernelmode.blog

  15. The event-stream incident ➔ event-stream is a popular NPM package

    ➔ Used by VSCode, Vue, Angular, Gatsby… ➔ Commit right has been granted to a new maintainer ➔ The new maintainer added a dependency to the package (= unknown code) ➔ The new dependency included a crypto-coin-stealing malware 💣 Common Attacks: Package Takeover

  16. Result

  17. Common Attack: ProtestWare © Sean Murphy, kernelmode.blog

  18. 02 03 04 01 What Is a Supply Chain Attack?

    The Scope of the Problem Long-Term Solutions Mastering Composer to Mitigate Attacks
  19. None

  20. Popular PHP frameworks ➔ Symfony (minimal): 30 packages, 2 vendors

    ➔ Symfony: 125 packages, 17 vendors ➔ API Platform (minimal): 38 packages, 5 vendors ➔ API Platform: 98 packages, 20 vendors ➔ Laravel: 107 packages, 35 vendors Popular JavaScript frameworks and libraries ➔ React (Next.js): 352 packages ➔ Angular: 940 packages ➔ Vue.js: 27 packages ➔ Nuxt.js: 1279 packages Dependencies In Numbers (May 2023)

  21. Who Do You Trust? “Installing 1 average npm package introduces

    an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface.” - Markus Zimmermann and Cristian-Alexandru Staicu, TU Darmstadt; Cam Tenny, r2c; Michael Pradel, TU Darmstadt

  22. 03 01 The Scope of the Problem Mastering Composer to

    Mitigate Attacks 02 04 What Is a Supply Chain Attack? Long-Term Solutions

  23. ➔ 85% of vulnerabilities in FOSS are disclosed with a

    patch already available ➔ Monitor your deps: • composer audit • npm audit • Trivy • Dependabot ➔ Update as soon as possible! The Biggest Threat: Unpatched Software

  24. composer audit

  25. Be Careful Who You Trust

  26. Carefully Choose Your Dependencies ➔ Is the package actively maintained?

    ➔ Does it have a code review process? ➔ Does it have a security policy? ➔ Is it managed by a company? By a team? By a well-known individual? ➔ Can I pay to ensure the maintenance is correctly done? ➔ Do I trust its maintainers? This matters even more for libraries, frameworks and popular projects.

  27. Can we improve the tooling?

  28. Install Only What You Trust

  29. Composer “Trusted” Packages

  30. Composer “Trusted” Dev Packages

  31. 03 01 Long-Term Solutions 02 04 The Scope of the

    Problem What Is a Supply Chain Attack? Mastering Composer to Mitigate Attacks

  32. Long Term Solutions © Tidelift

  33. Thanks for your attention! ➔ Any questions ? dunglas.dev @dunglas