Mitigate Attacks on your PHP Supply Chain

by Kévin Dunglas

Slide 1

Slide 1 text

Slide 2

Slide 2 text

What Is a Supply Chain Attack? 02 03 OUTLINE 04 01 The Scope of the Problem Mastering Composer to Mitigate Attacks Long-Term Solutions

Slide 3

Slide 3 text

Kévin Dunglas ➔ Creator of API Platform / FrankenPHP / Mercure ➔ Symfony Core Team ➔ Co-founder of Les-Tilleuls.coop @dunglas

Slide 4

Slide 4 text

➔ PHP, JS and Cloud experts ➔ 100% employee-owned co-op ✊ ➔ Democratically managed 💬 ➔ [email protected] 💌 12 YEARS OF EXPERTISE 70 COOPERATORS 300 CUSTOMERS 50 PROJECTS/YEAR

Slide 5

Slide 5 text

02 03 04 01 What Is a Supply Chain Attack? Long-Term Solutions Mastering Composer to Mitigate Attacks The Scope of the Problem

Slide 6

Slide 6 text

Supply Chain “A supply chain is a complex logistics system that consists of facilities that convert raw materials into ﬁnished products which are later distributed to end consumers.” - Wikipedia

Slide 7

Slide 7 text

Software Supply Chain Anything that aﬀects your software ➔ Your code ➔ Libraries and frameworks used by your code: Symfony, API Platform, Laravel, Doctrine… ➔ Package managers: Composer, NPM… ➔ Binaries: Linux distros, Docker containers… ➔ Build scripts ➔ Forges / CI/CD pipeline: GitHub, GitLab ➔ Hardware / Cloud Provider

Slide 8

Slide 8 text

A Modern PHP App © Sebastian Bergmann - The PHP Stack’s Supply Chain

Slide 9

Slide 9 text

Software Supply Chain: The Reality © xkcd/2347

Slide 10

Slide 10 text

PHP Supply Chain: Going Further

Slide 11

Slide 11 text

Supply Chain Attacks ➔ An attack that targets the less secure elements in the supply chain ➔ Can target any component of the chain ● hardware: spying component ● software: malware This talk will be focused on attacks targeting software, and especially PHP apps.

Slide 12

Slide 12 text

➔ The direct dependencies of your project ● PHP libraries ● JavaScript libraries ● System binaries and libraries ➔ The transitive dependencies (dependencies of your dependencies) Most Common Supply Chain Attack Vectors

Slide 13

Slide 13 text

Common Attack: Malicious Package

Slide 14

Slide 14 text

Common Attack: TypoSquatting symfont/process © Sean Murphy, kernelmode.blog

Slide 15

Slide 15 text

The event-stream incident ➔ event-stream is a popular NPM package ➔ Used by VSCode, Vue, Angular, Gatsby… ➔ Commit right has been granted to a new maintainer ➔ The new maintainer added a dependency to the package (= unknown code) ➔ The new dependency included a crypto-coin-stealing malware 💣 Common Attacks: Package Takeover

Slide 16

Slide 16 text

Result

Slide 17

Slide 17 text

Common Attack: ProtestWare © Sean Murphy, kernelmode.blog

Slide 18

Slide 18 text

02 03 04 01 What Is a Supply Chain Attack? The Scope of the Problem Long-Term Solutions Mastering Composer to Mitigate Attacks

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Popular PHP frameworks ➔ Symfony (minimal): 30 packages, 2 vendors ➔ Symfony: 125 packages, 17 vendors ➔ API Platform (minimal): 38 packages, 5 vendors ➔ API Platform: 98 packages, 20 vendors ➔ Laravel: 107 packages, 35 vendors Popular JavaScript frameworks and libraries ➔ React (Next.js): 352 packages ➔ Angular: 940 packages ➔ Vue.js: 27 packages ➔ Nuxt.js: 1279 packages Dependencies In Numbers (May 2023)

Slide 21

Slide 21 text

Who Do You Trust? “Installing 1 average npm package introduces an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface.” - Markus Zimmermann and Cristian-Alexandru Staicu, TU Darmstadt; Cam Tenny, r2c; Michael Pradel, TU Darmstadt

Slide 22

Slide 22 text

03 01 The Scope of the Problem Mastering Composer to Mitigate Attacks 02 04 What Is a Supply Chain Attack? Long-Term Solutions

Slide 23

Slide 23 text

➔ 85% of vulnerabilities in FOSS are disclosed with a patch already available ➔ Monitor your deps: ● composer audit ● npm audit ● Trivy ● Dependabot ➔ Update as soon as possible! The Biggest Threat: Unpatched Software

Slide 24

Slide 24 text

composer audit

Slide 25

Slide 25 text

Be Careful Who You Trust

Slide 26

Slide 26 text

Carefully Choose Your Dependencies ➔ Is the package actively maintained? ➔ Does it have a code review process? ➔ Does it have a security policy? ➔ Is it managed by a company? By a team? By a well-known individual? ➔ Can I pay to ensure the maintenance is correctly done? ➔ Do I trust its maintainers? This matters even more for libraries, frameworks and popular projects.

Slide 27

Slide 27 text

Can we improve the tooling?

Slide 28

Slide 28 text

Install Only What You Trust

Slide 29

Slide 29 text

Composer “Trusted” Packages

Slide 30

Slide 30 text

Composer “Trusted” Dev Packages

Slide 31

Slide 31 text

03 01 Long-Term Solutions 02 04 The Scope of the Problem What Is a Supply Chain Attack? Mastering Composer to Mitigate Attacks