Slide 1

Slide 1 text

COSCUP 2024 OSPN Japan Special Track 2024/08/04 Let's tackle open- source supply chain issues with open source Naruhiko Ogasawara

Slide 2

Slide 2 text

Who am I Naruhiko Ogasawara ( 小笠原 徳彦 ) ● Japanese Security Vendor's Employee ● Desktop Open Source Enthusiast – Ubuntu, LibreOffice, Printing ● River Kayak lover

Slide 3

Slide 3 text

From Wikipedia A supply chain, sometimes expressed as a "supply-chain", is a complex logistics system that consists of facilities that convert raw materials into finished products and distribute them to end consumers or end customers. Meanwhile, supply chain management deals with the flow of goods within the supply chain in the most efficient manner. Supply Chain

Slide 4

Slide 4 text

From Wikipedia A software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artifact. ”Software” Supply Chain Library Library Library Application Container OS Middleware Service

Slide 5

Slide 5 text

Software Supply Chain Risk ● Vulnerable software components ● The injection of a backdoor by a malicious attacker

Slide 6

Slide 6 text

Software Supply Chain Risk ● Vulnerable software components ● The injection of a backdoor by a malicious attacker

Slide 7

Slide 7 text

Vulnerable software components ● You remember “log4shell” issue ● How can we identify vulnerable software within the vast web of software dependencies? https://xkcd.com/2347/

Slide 8

Slide 8 text

Vulnerable software components ● You remember “log4shell” issue ● How can we identify vulnerable software within the vast web of software dependencies? – SBOM! https://xkcd.com/2347/

Slide 9

Slide 9 text

Software Bill of Materials Software vendors often create products by assembling open source and proprietary software components. A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them. SBOM SBOM Company A SBOM Company B Final Assemble Company SBOM Composition Supplier Name Component Name Component Version Identifier Dependency SBOM Creator Timestamp

Slide 10

Slide 10 text

Software Bill of Materials Software vendors often create products by assembling open source and proprietary software components. A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them. SBOM SBOM Company A SBOM Company B Final Assemble Company SBOM Composition Supplier Name Component Name Component Version Identifier Dependency SBOM Creator Timestamp

Slide 11

Slide 11 text

Two major SBOM formats ● SPDX (System Package Data Exchange) – https://spdx.dev/ – Developed by The Linux Foundation ● CycloneDX – https://cyclonedx.org/ – Developed by OWASP

Slide 12

Slide 12 text

How to create SBOM ● Software Composition Analysis (SCA) – Software composition analysis (SCA) is a practice in the fields of Information technology and software engineering for analyzing custom-built software applications to detect embedded open-source software and detect if they are up-to-date, contain security flaws, or have licensing requirements. (wikipedia)

Slide 13

Slide 13 text

SCA Tools common work ● Create SBOM by source code dependencies analysis – Java Maven, JavaScript NPM, Python PyPI, Ruby Gem, … ● Some commercial (proprietary) tools can handle source code snippets or embedded components

Slide 14

Slide 14 text

CycloneDX SCA families ● cdxgen – https://cyclonedx.github.io/cdxgen/#/ – https://github.com/CycloneDX/cdxgen ● Highly recommended – But in my experience, it doesn’t work on Windows

Slide 15

Slide 15 text

CycloneDX SCA families ● If cdxgen won’t work, go to https://cyclonedx.org/tool-center/, or just googling “CycloneDX ” (they are old attics, but still work enough) ● CycloneDX for Maven – https://github.com/CycloneDX/cyclonedx-maven-plugin ● CycloneDX for NPM – https://github.com/CycloneDX/cyclonedx-node-npm ● CycloneDX for Python – https://github.com/CycloneDX/cyclonedx-python ● CycloneDX for Ruby Gems – https://github.com/CycloneDX/cyclonedx-ruby-gem

Slide 16

Slide 16 text

cdxgen supports tons of platforms ● https://cyclonedx.gith ub.io/cdxgen/#/PROJ ECT_TYPES

Slide 17

Slide 17 text

OWASP Dependency Track ● OWASP Dependency Track – https://dependencytrack.org/ – https://owasp.org/www-project-dependency-track/ – https://github.com/DependencyTrack/dependency-track ● Project made by OWASP ● Visualization tool of CycloneDX SBOM ● Open Source licensed under Apache License 2.0

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Quick Setup: Using Docker Compose curl -LO https://dependencytrack.org/docker-compose.yml docker compose up -d

Slide 20

Slide 20 text

Creating SBOM from Ruby code node install -g cyclonedx/cdxgen cd /path/to/rubyproject cdxgen *) Of course, the ruby project should be managed dependencies with gemfile.lock

Slide 21

Slide 21 text

Live Demo Time...

Slide 22

Slide 22 text

Conclusion ● Software Supply chain risk is widely concerned issue nowadays ● One of the risks is the vulnerability introduced by dependencies ● SBOM can manage such kind of dependencies ● OWASP Dependency Track can visualize SBOMs ● This makes it easy to find vulnerabilities introduced by dependencies