Software supply chain security

Question 1

What is the basic SW supply chain flow?

Answer 1

Left: Upstream actors
Right: Downstream actors

Component sourcing - Development - production - distribution - consumption

Question 2

What does the software supply chain concern?

Answer 2

An organization’s use of externally supplied software in products

(open source or comercially purchased)

Question 3

Name 4 properties of SW supply chain attacks

Answer 3

Compromise

Alteration

propagation

Exploitation

Question 4

What is compromise?

Answer 4

Attacker finds an compromises an existing weakness within a supply chain

Question 5

What is alteration?

Answer 5

An attacker leverages the initial compromise to alter the software supply chain

Question 6

What is propagation?

Answer 6

The change introduced by the attacker propagates to downstream components and links

Question 7

What is exploitation?

Answer 7

The attacker exploits the alteration in a downstream link

Question 8

What is the different between supply chain attacks and vulnerable components?

Answer 8

Vulnerable components could be the consequence of careless or unintended use/integration of vulnerable components by downstream users.

Supply chain attacks always have malicious attackers in the loop, who purposely inject vulnerabilities and plan to exploit them in the future.

Question 9

Name countermeasure strategies for each step in the supply chain attack

Answer 9

Compromise - transparency

Alteration - validity

Propagation - Separation

Exploitation - Recovery

Question 10

What is transparency?

Answer 10

Builds trust and security

Enables perfect vision of all actors, ops and artifacts across the supply chain

Allow supply chain managers to identify link weaknesses before they are compromised, effectively preventing attackers from completing the first stage

Question 11

What is validity?

Answer 11

By maintaining:
- integrity of artifacts, operations
- authentication of actors

No unautorized changes can be made to the supply chain

Question 12

What is separation?

Answer 12

Compartmentalize and moderate interactions between entities.

Connections between artifacts, operations, and
actors are managed so malicious changes cannot affect other supply chain components.

Question 13

What is SBOM?

Answer 13

Software Bill of Materials

A nested inventory, a list of ingredients that compromise sw components

Question 14

What is NPM audit?

Answer 14

Automatically checks all dependencies and its dependency tree for vulnerable packages.

Command: npm audit

Question 15

What is code scanning?

Answer 15

Feature to analyze code in a git repo, to find vulnerabilities or code errors

Question 16

What is dependabot?

Answer 16

discovers insecure dependencies in a project

When git detects vulnerable dependency in the default branch, dependabot creates a pull request to fix it.

PRs will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability

Question 17

What is in toto?

Answer 17

Framework that enforces the integrity of a SW supply chain by gathering cryptographically verifiable information about the chain itself

Question 18

What is a key element in In toto?

Answer 18

Layout: A recipe that identifies which steps will be performed, by whom, and in what order

Link metadata

The delivered product

Question 19

What is Link metadata in In toto?

Answer 19

Each link serves as a statement that a given step was carried out.

Sharing link metadata ensures no artifact are altered in transit

Cryptographically signed

Question 20

What is the delivered product in In toto?

Answer 20

End user utilize layout and link metadata to verify delivered product.

End user uses link metadata to verify that SW provided has not been tampered with and that all steps were performed as the project owner intended

Question 21

What is sigstore?

Answer 21

Makes software signing part of an invisible and ubiquitous infrastructure

Uses existing identity providers to issue short lived certificates of individual package signing workflows.

Users can sign with ephemeral keys, which allows devs to sign packages without managing their cryptographic material

Question 22

What 3 technologies does Sigstore use?

Answer 22

Artifact signing

Transparency logging

Identity providers (OpenID connect)

Question 23

What is transparency logging in Sigstore?

Answer 23

Certificate Transparency keeps a public transparency log of issued certificates so that a third party could notice if two CAS were to issue a certificate to the same domain

Question 24

What is Proxy?

Answer 24

Protects against fetching arbitrary packages in pace of legitimate packages, by not allowing an upstream request to the public registries

Question 25

Describe a threat model that regards Proxies

Answer 25

An attacker publishes a malicious package to a public registry, with the same name but higher version as an existing package in the private registry.

If a system omits the setting for only using internal registries, the package manager could default to public registry and download the malicious package.

Question 26

What is mirroring (threat model and countermeasure)?

Answer 26

Threat model: Package manager may download malicious packages from public registries

Countermeasure:
Organizations create private package feeds, to mitigate risk of pulling dependencies from public sources

Question 27

Give an example of mirroring countermeasures?

Answer 27

Using Maven

Specify the sources you want to download artifacts from

Question 28

What is Git commit signing used for?

Answer 28

Transparency and validity

Question 29

How does Git commit signing work?

Answer 29

Generate public-private key

Use private to sign commit

Use public keys to verify the author of a commit

Question 30

Name threat model and countermeasures of GitHub actions

Answer 30

Threat: Attack can modify build process

Counter:
- precise and repeatable build steps
- You know exactly what was running during build
- Ensure each build start in new environment

Question 31

What is scope used for?

Answer 31

Validity and separation

Question 32

What is the threat model and countermeasure of scope?

Answer 32

Threat: Dependency confusion risk, when internal package name is claimed by attacker on public registry

Counter:
- Restricting package namespace to organization or user using scope
- Can associate scopes with registry, ensuring all packages requests are routed to that registry

Question 33

Give an example of how scope is used

Answer 33

@somescope/packageName

Question 34

What is Containerization used for?

Answer 34

Separation

Question 35

Name the threat model and countermeasure of containerization

Answer 35

Threat: Attacker can propagate attack or consequences via unintended connections

Counter:
- Separate internal operations, artifacts and actors

Question 36

What is version locking used for?

Answer 36

Validity and separation

Question 37

Name the threat model and countermeasure of version locking

Answer 37

Threat: Malicious changes upstream may propagate downstream

Counter:
- Version locking ensure a link includes a particular version of an upstream component
- Relies on actors accurately setting and managing version numbers

Question 38

How should supply chain security move forways?

Answer 38

Most approaches do now focus on managing artifacts

More approaches are needed to focus on operations and actors

Question 39

Name the 3 countermeasure strategies

Answer 39

Transparency

Validity

Separation