code bases have OSS vulnerabilities 2 % of organizations worldwide will have experienced attacks on their software supply chains by 2025 3 81 45 742 Increasingly, the software development lifecycle (SDLC) itself has become a vector for attacks. The recent Log4J, SolarWinds, Kaseya, and Codecov hacks highlight vulnerable surface areas exposed in the SDLC. 1. Sonatype, 2023 - State of the Software Supply Chain 2. Synopsys, 2022 - Open Source Security and Risk Analysis Report 3. Gartner, 2021 - How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks 4. IDC, 2022 - IDC FutureScape: Worldwide Developer and DevOps 2022 Predictions % in response to the above, by 2024, 55% of organizations will demand DevOps pipeline security to secure the software supply chain to lower the risk of compromise 4 55 Supply chain attacks are increasingly successful
vectors Standards / Tools Nearly all commercial code relies on OSS Unknown contributors expand supply chain Increased number of attack vectors Exposure level evolve, difficult to understand Growing number and of emerging standards Lack of end-to-end solutions Modern dev increase deployment frequency Lack of security automation Base image proliferation
their versions and provider, and the relationships between them How and where was the artifact created? source code, tools, build system, and individuals involved in its development Is my software artifacts impacted? what is the potential impact of each one of the vulnerabilities in my software transparency provenance context
document may contain SPDX document creation information Package information File information Snippet information Other licensing information detected Relationship between SPDX elements information Annotation information Review information Software Bill of Materials SBOM Drivers: When producing software: • License compliance • Vulnerability monitoring When selecting software: • Targeted security analysis • Policy compliance When operating software • Risk management • Independent mitigations
CRA Supply Chain Security and actors’ responsibilities (detection, reporting, mitigation) U.S. Executive Order on Improving the Nation’s Cybersecurity EO 14028 (Project plan with timeline) Supply Chain Security including SBOM Guidance on Supply Chain Security, under EO 14028 Section 4c/4d Network and Information Security Directive - NIS2 (Supply Chain Security, Incident Management including reporting (CVD)) May 12, 2021 May 5, 2022 Jan 16, 2023 Jan 23, 2023 Oct 18, 2024 NIS2 national laws Dec 15, 2020 NIS2 prop. EO 14028 NIS2 CRA RFC closed EO 14028 guidance Supply chain security guidance Supply chain mapping guidance
tools (e.g. syft, snyk) can generate either SPDX or CycloneDX formatted SBOM from artifact (container image) From Source On-demand generated from the lockfile (e.g. go.mod, pom.xml, or package-lock.json in GitHub) During Build Generated during build process by the tool creating the actual artifact (e.g. ko for Go and jib for Java)
Open Source Security Framework Standardized check-list of controls to improve integrity, prevent tampering, and secure software artifacts and infrastructure Externalization of internal framework Based on Google’s long-standing internal framework Open Governance 7 person steering committee, 4 working groups, 30+ company contributor community, under OpenSSF (Linux Foundation)
Provenance document includes Build Definition (e.g. parameters, dependencies), and Run Details (e.g. builder, metadata). To make it easier to reason about it, key characteristics of the build provenance are grouped into SLSA Levels Downstream consumers can inspect the provenance, and implement policy decisions based on the inferred level Provenance: SLSA in Practice slsa.dev
getting started Scripted build, with provenance SLSA L2 Tampering after the build Build service and signed provenance SLSA L3 Tampering during or after the build Hardened build service, isolation SLSA L4 Tampering before, during, or after the build Require two-person code review and hermetic builds Supply Chain Levels for Software Artifacts Provenance: SLSA Build Levels slsa.dev Note: Level 4 has been removed from SLSA v1.0 spec
components with a vulnerability and yet not be vulnerable itself • VEX provides context for the vulnerabilities found in software using its impact statements VULNERABILITY X [AFFECTS | DOES NOT AFFECT] SOFTWARE Y [BECAUSE OF …]
your software inventory Understand primary and transitive dependencies Discover CVEs, manage their risks Understand reachability and exploitability Protect against pipeline and distribution risks with provable integrity Enforce least privilege access Ensure everything has Identity Use binary authorization policy Create tamper evident provenance Ensure access transparency Limit exposure, blast radius Manage upstream dependencies, and automate remediation of new issues Control admission to runtime Create org-level policies to gate admission to production Generate attested evidence of compliance S3C: Practical Steps
mchmarny
rlifchitz
uhyo
seafay
seike460
yoshimi0227
subroh0508
sonic
shotatsuge
kawaguti
cheng_wei_chen
ming_ayami
ysuzuki
productmarketing
.png){kind=avatar}
helenjbeal
morganepeng
marktimemedia
aleyda
marcduiker
badams
tammyeverts
tapps
akademiya2063
