Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the software supply chain for infra ma...

Rudder
February 07, 2023
Programming
1
230

Securing the software supply chain for infra management software

🎥 https://youtu.be/H-9Y_-3ohBI
🧑 Alexis Mousset
📅 Configuration Management Camp 2023

Infrastructure management tools have a special place among software regarding security, as they usually run ubiquitously, with high privileges and a relatively high attack surface. This makes them targets of choice, especially in the current context of increased threats on software supply chains.

What are our (new) responsibilities as software editors in an open source ecosystem? They include a precise identification and authentication of all software components (to provide a Software Bill of Material) and constraints on the build process and software distribution models.

This talk will give an overview of the current state of the rapidly evolving software supply chain standards and tooling (e.g. SLSA, SBOMs, etc.). It will also explore more concrete items, focused on dependencies management in open source ecosystems and our experience with Rudder.

Rudder

February 07, 2023
Tweet

More Decks by Rudder

See All by Rudder
Hausse des cybermenaces lors des JO : êtes-vous suffisamment protégé ?
rudder
1
32
Adoptez une stratégie de patch management efficace adaptée à votre système d’information
rudder
1
56
Comment sécuriser son SI pour ne plus subir les attaques ?
rudder
1
58
Hardening systems: from a benchmark guide to meaningful compliance
rudder
1
33
Implementing configuration management primitives in 2024
rudder
1
27
Supply Chain Security in the Rust Ecosystem
rudder
1
19
A journey from Configuration Management to Security of IT systems
rudder
1
55
Rudder: what is it and what makes it different?
rudder
1
130
How do we make Rudder secure?
rudder
1
83

Other Decks in Programming

See All in Programming
生成AIを使ったQAアプリケーションの作成 - ハンズオン補足資料
oracle4engineer
PRO
3
240
Building a macOS screen saver with Kotlin (Android Makers 2025)
zsmb
1
150
Ruby's Line Breaks
yui_knk
2
1.2k
AI時代の開発者評価について
ayumuu
0
150
Unlock the Potential of Swift Code Generation
rockname
0
260
Make Parsers Compatible Using Automata Learning
makenowjust
1
5.1k
Lambda(Python)の リファクタリングが好きなんです
komakichi
3
200
スモールスタートで始めるためのLambda×モノリス(Lambdalith)
akihisaikeda
2
290
タイムゾーンの奥地は思ったよりも闇深いかもしれない
suguruooki
1
680
「影響が少ない」を自分の目でみてみる
o0h
PRO
2
1.1k
Making TCPSocket.new "Happy"!
coe401_
1
1.5k
ウォンテッドリーの「ココロオドル」モバイル開発 / Wantedly's "kokoro odoru" mobile development
kubode
1
140

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
76
9.3k
Building Applications with DynamoDB
mza
94
6.3k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
52
2.4k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
30k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Code Reviewing Like a Champion
maltzj
522
40k
Become a Pro
speakerdeck
PRO
27
5.3k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
5
550

Transcript

  1. securing the software supply chain of infra management tools 7th

    feb. 2023 Alexis Mousset

  2. whoami sysadmin background lead system developer @rudder secure code working

    group @rust-lang vulnerabilities database for Rust libraries security-related tooling 2

  3. infra management software runs everywhere whether with an agent or

    remote connections high privileges often acts as glue cross technologies to adapt to what we configure 3

  4. infra management software complex software other remote admin access are

    simpler ( openssh , etc.) highly connected to other infra parts big attack surface dependencies 4

  5. infra management software this makes these software targets of attacks

    classic vulnerabilities exploitation of a bug in the program authentication bypass etc. we are not talking about these 5

  6. where does infra software come from? 6

  7. software supply chain developer repository build distribu on user dependencies

    7

  8. developer 8

  9. developer working on the project/for the company a workstation various

    credentials recent Circle CI breach out of scope here, but needs special attention 9

  10. developer dependencies 10

  11. dependencies open-source building blocks are now everywhere various ecosystems 11

  12. other developers (a lot) 12

  13. who has (indirect) push rights to software? every one that

    has push and release access to all your dependencies you can't audit all dependencies can only be a heuristic or a community effort more and more package managers and dependencies sources less reliant on system dependencies 13

  14. estimates on Rudder Rust cargo supply-chain allows visualizing the dependencies

    maintainers Our node/server communication daemon lists: 140 individuals 34 Github teams 14

  15. attacks/vulnerabilities on dependencies increasing in the latest years huge potential

    15

  16. you may have heard of... log4shell RCE in log4j, a

    popular Java logging library revealed that nobody really knows what they are running openssl 16

  17. how hard can it be? event-stream , popular npm package

    (1.2k stars on github) release including code to steal crypto ledgers on dev machines 17

  18. 18

  19. Rust side various attacks on crates.io typosquatting rustdecimal instead of

    rust_decimal attack against Gitlab CI 19

  20. what do we learn from this? good: people are generally

    nice to each other! bad: it is basically our only protection 20

  21. developer repository 21

  22. repository 22

  23. repository not the easiest channel still a lot of deploy

    keys/SSH keys without passwords in the wild 23

  24. repository reviews protected branches to force a review and make

    changes visible 24

  25. developer repository build dependencies 25

  26. build process & infra setup a build environment containers, VM,

    etc. either SaaS or hosted download all sources our code dependencies from various channels build push artifacts 26

  27. build process & infra SolarWinds Monitoring software Orion infected with

    malware attack through the build platform installed on persistent builder systems modified the sources at build time, hard to detect attacks on CI platforms circleCI Gitlab CI 27

  28. build process & infra build environments are critical assets security

    monitoring and update policies for sources lock files (i.e. include the dependency' source hash in the repository) signatures check 28

  29. developer repository build distribu on dependencies 29

  30. distribution generally correctly done! signatures (rpm, dpkg, msi, etc.) 30

  31. developer repository build distribu on user dependencies 31

  32. what do users need? visibility trust (integrity) 32

  33. how to reach these goals? 33

  34. aside: OpenSSF Open Source Security Foundation affiliated with the Linux

    Foundation created in August 2022 merges several previous efforts 34

  35. visibility 35

  36. identifying software the first problem with visibility is the ability

    to identify software. we are used to "CPE", used in CVEs It is not enough SWID and purl 36

  37. purl uniform identifier for software good for upstream stuff 37

  38. pkg:deb/debian/[email protected]?arch=i386&distro=jessie pkg:docker/cassandra@sha256:244fd47e07d1004f0aed9c pkg:gem/[email protected] pkg:github/package-url/purl-spec@244fd47e07d1004f0aed9c pkg:golang/google.golang.org/genproto#googleapis/api/annotations 38

  39. SWID better for downstream NIST/SCAP usable in CVEs 39

  40. <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xml:lang="en-US" name="Red Hat Enterprise Linux" tagId="com.redhat.RHEL-8-x86_64"

    tagVersion="1" version="8" versionScheme="multipartnumeric" media="(OS:linux)"> 40

  41. how to list software? Software Bill of Materials list of

    ingredients (components and versions) 41

  42. SPDX first open-source oriented SBOM started around 2010 focused on

    license compliance initially included standardized license identifiers headers 42

  43. CycloneDX from OWASP, in 2017 security-oriented goes beyond SBOM HBOM

    (hardware), OBOM (operations), etc. vulnerability management: VDR, VEX 43

  44. vulnerability tracking CVE historically 44

  45. OSV Open Source Vulnerability CVE is not enough for everything

    software badly identified often useless scoring a format spec a database centralizing information from different ecosystems 45

  46. vulnerability tracking at ecosystem level a database for each language

    Github efforts security tooling dependabot 46

  47. integrity source, build and artifact signing distributed binaries is good,

    and already well deployed ...but absolutely not enough! 47

  48. sigstore tooling to sign and check signatures of artifacts Attend

    next talk for more details! 48

  49. what can we do? we started hearing about these topics

    ten years ago only starting to actually exist now 49

  50. what can we do? the problem space is huge the

    cost is potentially huge we need to prioritize and focus 50

  51. pronounced "salsa" Supply chain Levels for Software Artifacts originally from

    Google, now under the OpenSSF umbrella framework providing checklists with levels 51

  52. SLSA the goal is to help list and prioritize not

    transitive 52

  53. 53

  54. SLSA level 1 "The build process must be fully scripted/automated

    and generate provenance." visibility but no integrity allow the end user to make risk-based security decisions no protection against tampering 54

  55. SLSA level 2 "Requires using version control and a hosted

    build service that generates authenticated provenance." 55

  56. SLSA level 3 "The source and build platforms meet specific

    standards to guarantee the auditability of the source and the integrity of the provenance respectively." auditors certify that platforms meet the requirements 56

  57. SLSA level 4 "Requires two-person review of all changes and

    a hermetic, reproducible build process." 57

  58. where are we at? 58

  59. rudder A lot of ecosystems Scala/Java (maven-based) Elm (dedicated tooling)

    Rust (cargo/crates.io-based) F# (dotnet/nuget-based) JavaScript (npm-based) C Perl (cpan-based) Python (pip-based) 59

  60. rudder visibility dependency management SBOM? vulnerability scanning integrity only at

    distribution level 60

  61. rudder build security and reproducibility improvements next step: aggregated SBOM

    continue making the build more deterministic and hermetic 61

  62. rust vulnerability tracking: okayish SBOM: early days storing SBOM in

    binaries: cargo-auditable still a lot to do on crates.io 2FA, sigstore, etc. exploring trust: cargo-crev , cargo-vet 62

  63. conclusion mostly driven by enterprise & government needs might lead

    to complex solutions far too many acronyms (i've spared you a lot of them) the supply chain security ecosystem is still quite immature competing norms, technologies, etc. continuous changes 63

  64. conclusion but we can't ignore it, at all levels open

    source ecosystems software editors end users, especially in critical contexts we are all software editors 64

  65. references Open Source Security Foundation (OpenSSF, Linux Foundation) SLSA OSV

    sigstore OWASP Foundation CycloneDX PBOM.dev OSC&R: Open Software Supply Chain Attack Reference 65

  66. references Chainguard Aqua Security open-source tooling: Trivy Anchore Grype, Sift

    OmniBOR Artifact Dependency Graph 66

  67. questions? [email protected] twitter.com/AlexisMousset mastodon.social/@amousset 67