B.Sc. 🤖, Automotive Software Engineering M.Sc 🚗. • Software developer & Product owner at a startup in München • Started as Java backend engineer. • Transitioned to DevOps and Cloud ☁
chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artifact.” (Wikipedia) (Google Cloud Events)
Wu and Kangjie Lu University of Minnesota) • ”How hard it is to sneak a vulnerability into Linux Kernel code?” • Vulnerability is formed by multiple conditions, located at different parts of the code base • A hypocrite commit fixes a seemingly minor issue, but in reality is the missing condition to form a vulnerability
network • 2FA authentication enforced (UI) • Stay up to date • Developer access over SSH keys => rotate regularly • Machine/service access via ephemeral credentials • Repository best practices • Four-eyes principle • Use (secret) scanners in pre-commit/receive hooks • Define CODEOWNERS • Source Code Integrity • Signed Commits • Integrity: an unbroken chain of trust during build and deployment time • Imlemented using cryptographic signatures. MITIGATING SOURCE THREATS
1.9mio weekly downloads. Maintainer is busy, no meaningful updates in years • A contributor volunteers and takes over. • Contributor takes ownership on npm • Adds support for flat-map • A week later removes dependency and adds built-in implementation. Bumps major version making sure many are left behind using the previous infected versin. • The flat-map library • LGTM on GitHub, although 1 contributor • However, the version published to npm snuck some additional code into the minified file • In there there is an additional test/data.js. This is encrypted, but the npm_package_description as the AES256 key is used to decrypt it. • For the vast majority of parent packages, this will result in an error (which the malicious code silently catches and ignores), since their package description won’t be the correct AES256 key and the output will be nonsense. • targeted package: copay-dash, a bitcoin wallet platform. Its description, "A Secure Bitcoin Wallet", successfully decrypts the test/data.js • Then another round of decryption is used to finally steal your bitcoin wallet…
of signatures published on remote repositories as ASCII-armored PGP files • Not all artifacts are published with signatures • Gradle will try to download the corresponding .asc file. If present, downloads the keys required to perform verification and then verifies the signature.
OWASP dependency check (“DependencyCheck”) • Maven/Gradle plugin • (commercial) Snyk • Dependency upgrade • Dependabot, renovate • Open Source Insights (https://deps.dev/) • A web site that provides information about known direct and indirect dependencies, known vulnerabilities, and license information for open source software. • Data available as a Google Cloud Dataset => Use BigQuery to explore and analyse data. • Open Source Vulnerabilities database (https://osv.dev/) • A searchable vulnerability database
Solution • Product: code analysis tool, which users integrate into their CI/CD • Root cause: • The attacker was able to extract a key for a Google Cloud Storage service account from an intermediate layer in our public Codecov Self-Hosted Docker image. • The attacker used this key to modify a shell script in Google Cloud Storage, which was served directly to end-users with the malicious changes in place.
Solution • Product: code analysis tool, which users integrate into their CI/CD • It happens once, that hackers have placed a single malicious line to a 1k+ line bash script. • Ran for 2.5+ months…
framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
Docker images only • Artifact Registry • For Docker images, application dependencies and libraries. • Container Analysis • Store metadata • Container Analysis is built on top of Grafeas, an open source component metadata API • Automatic image scanning for OS vulnerabilities / On-demand scanning
a deploy-time security control for GKE or CloudRun. Enforces that only signed and attested images are deployed. • BA uses a policy that is a set of rules that govern the deployment and validation of container images • Rules define required attestations that are applied on cluster/namespace/SA level.
Attestor (BA API): Google Cloud resource that Binary Authorization uses to verify the attestation at image deploy time. • Attestation (CA API): digital document that certifies an image. References: • NoteId • PubKeyId of attestor
based on identified software vulnerabilities in your container images. • Steps: • Create Note • Create KMS key • Create GSA for Kritis, grant necessary rights • Define policy • Run Kritis Signer
posedio
chrisft25
ysk8hori
ivargrimstad
yusukeito
rkaga
marokanatani
euxn23
biacco42
pyama86
yosuke_furukawa
snaka
danielanewman
carmenintech
jlugia
speakerdeck
3n
geoffreycrofte
mclloyd
chriscoyier
bkeepers
eileencodes
jrom
