Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mitigate Attacks on your PHP Supply Chain

Mitigate Attacks on your PHP Supply Chain

When you install a JavaScript library, it usually comes with hundreds of transitive dependencies, i.e. libraries that are installed as a side effect because they are essential to the operation of the library you want to use.

This proliferation of dependencies opens the door to supply chain attacks. All it takes is for one of the repositories hosting one of these hundreds of libraries, or one of the maintainers, to be malicious, and it becomes possible to inject malware into yours, which can target you or your organization, and even the end users of your software.

As I explained back in 2018, the PHP ecosystem is slightly less susceptible to this type of attack than the JavaScript ecosystem, because maintainers of popular libraries and frameworks are relatively careful not to rely on too many third-party dependencies, which limits the problem... but doesn't totally prevent it though.

What if we could do better with our favorite library management software: Composer? During this talk, I present how supply chain attacks work, outline some organizational methods that could limit the problem, and finally, explain how to take back full control of your vendor/ folder thanks to a Composer patch I crafted for this occasion.

Kévin Dunglas

May 12, 2023

More Decks by Kévin Dunglas

Other Decks in Programming


  1. What Is a Supply Chain Attack? 02 03 OUTLINE 04

    01 The Scope of the Problem Mastering Composer to Mitigate Attacks Long-Term Solutions
  2. Kévin Dunglas ➔ Creator of API Platform / FrankenPHP /

    Mercure ➔ Symfony Core Team ➔ Co-founder of Les-Tilleuls.coop @dunglas
  3. ➔ PHP, JS and Cloud experts ➔ 100% employee-owned co-op

    ✊ ➔ Democratically managed 💬 ➔ [email protected] 💌 12 YEARS OF EXPERTISE 70 COOPERATORS 300 CUSTOMERS 50 PROJECTS/YEAR
  4. 02 03 04 01 What Is a Supply Chain Attack?

    Long-Term Solutions Mastering Composer to Mitigate Attacks The Scope of the Problem
  5. Supply Chain “A supply chain is a complex logistics system

    that consists of facilities that convert raw materials into finished products which are later distributed to end consumers.” - Wikipedia
  6. Software Supply Chain Anything that affects your software ➔ Your

    code ➔ Libraries and frameworks used by your code: Symfony, API Platform, Laravel, Doctrine… ➔ Package managers: Composer, NPM… ➔ Binaries: Linux distros, Docker containers… ➔ Build scripts ➔ Forges / CI/CD pipeline: GitHub, GitLab ➔ Hardware / Cloud Provider
  7. Supply Chain Attacks ➔ An attack that targets the less

    secure elements in the supply chain ➔ Can target any component of the chain • hardware: spying component • software: malware This talk will be focused on attacks targeting software, and especially PHP apps.
  8. ➔ The direct dependencies of your project • PHP libraries

    • JavaScript libraries • System binaries and libraries ➔ The transitive dependencies (dependencies of your dependencies) Most Common Supply Chain Attack Vectors
  9. The event-stream incident ➔ event-stream is a popular NPM package

    ➔ Used by VSCode, Vue, Angular, Gatsby… ➔ Commit right has been granted to a new maintainer ➔ The new maintainer added a dependency to the package (= unknown code) ➔ The new dependency included a crypto-coin-stealing malware 💣 Common Attacks: Package Takeover
  10. 02 03 04 01 What Is a Supply Chain Attack?

    The Scope of the Problem Long-Term Solutions Mastering Composer to Mitigate Attacks
  11. Popular PHP frameworks ➔ Symfony (minimal): 30 packages, 2 vendors

    ➔ Symfony: 125 packages, 17 vendors ➔ API Platform (minimal): 38 packages, 5 vendors ➔ API Platform: 98 packages, 20 vendors ➔ Laravel: 107 packages, 35 vendors Popular JavaScript frameworks and libraries ➔ React (Next.js): 352 packages ➔ Angular: 940 packages ➔ Vue.js: 27 packages ➔ Nuxt.js: 1279 packages Dependencies In Numbers (May 2023)
  12. Who Do You Trust? “Installing 1 average npm package introduces

    an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface.” - Markus Zimmermann and Cristian-Alexandru Staicu, TU Darmstadt; Cam Tenny, r2c; Michael Pradel, TU Darmstadt
  13. 03 01 The Scope of the Problem Mastering Composer to

    Mitigate Attacks 02 04 What Is a Supply Chain Attack? Long-Term Solutions
  14. ➔ 85% of vulnerabilities in FOSS are disclosed with a

    patch already available ➔ Monitor your deps: • composer audit • npm audit • Trivy • Dependabot ➔ Update as soon as possible! The Biggest Threat: Unpatched Software
  15. Carefully Choose Your Dependencies ➔ Is the package actively maintained?

    ➔ Does it have a code review process? ➔ Does it have a security policy? ➔ Is it managed by a company? By a team? By a well-known individual? ➔ Can I pay to ensure the maintenance is correctly done? ➔ Do I trust its maintainers? This matters even more for libraries, frameworks and popular projects.
  16. 03 01 Long-Term Solutions 02 04 The Scope of the

    Problem What Is a Supply Chain Attack? Mastering Composer to Mitigate Attacks