Software supply chain security Flashcards
What is the basic SW supply chain flow?
Left: Upstream actors
Right: Downstream actors
Component sourcing - Development - production - distribution - consumption
What does the software supply chain concern?
An organization’s use of externally supplied software in products
(open source or comercially purchased)
Name 4 properties of SW supply chain attacks
Compromise
Alteration
propagation
Exploitation
What is compromise?
Attacker finds an compromises an existing weakness within a supply chain
What is alteration?
An attacker leverages the initial compromise to alter the software supply chain
What is propagation?
The change introduced by the attacker propagates to downstream components and links
What is exploitation?
The attacker exploits the alteration in a downstream link
What is the different between supply chain attacks and vulnerable components?
Vulnerable components could be the consequence of careless or unintended use/integration of vulnerable components by downstream users.
Supply chain attacks always have malicious attackers in the loop, who purposely inject vulnerabilities and plan to exploit them in the future.
Name countermeasure strategies for each step in the supply chain attack
Compromise - transparency
Alteration - validity
Propagation - Separation
Exploitation - Recovery
What is transparency?
Builds trust and security
Enables perfect vision of all actors, ops and artifacts across the supply chain
Allow supply chain managers to identify link weaknesses before they are compromised, effectively preventing attackers from completing the first stage
What is validity?
By maintaining:
- integrity of artifacts, operations
- authentication of actors
No unautorized changes can be made to the supply chain
What is separation?
Compartmentalize and moderate interactions between entities.
Connections between artifacts, operations, and
actors are managed so malicious changes cannot affect other supply chain components.
What is SBOM?
Software Bill of Materials
A nested inventory, a list of ingredients that compromise sw components
What is NPM audit?
Automatically checks all dependencies and its dependency tree for vulnerable packages.
Command: npm audit
What is code scanning?
Feature to analyze code in a git repo, to find vulnerabilities or code errors
What is dependabot?
discovers insecure dependencies in a project
When git detects vulnerable dependency in the default branch, dependabot creates a pull request to fix it.
PRs will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability
What is in toto?
Framework that enforces the integrity of a SW supply chain by gathering cryptographically verifiable information about the chain itself
What is a key element in In toto?
Layout: A recipe that identifies which steps will be performed, by whom, and in what order
Link metadata
The delivered product
What is Link metadata in In toto?
Each link serves as a statement that a given step was carried out.
Sharing link metadata ensures no artifact are altered in transit
Cryptographically signed
What is the delivered product in In toto?
End user utilize layout and link metadata to verify delivered product.
End user uses link metadata to verify that SW provided has not been tampered with and that all steps were performed as the project owner intended
What is sigstore?
Makes software signing part of an invisible and ubiquitous infrastructure
Uses existing identity providers to issue short lived certificates of individual package signing workflows.
Users can sign with ephemeral keys, which allows devs to sign packages without managing their cryptographic material
What 3 technologies does Sigstore use?
Artifact signing
Transparency logging
Identity providers (OpenID connect)
What is transparency logging in Sigstore?
Certificate Transparency keeps a public transparency log of issued certificates so that a third party could notice if two CAS were to issue a certificate to the same domain
What is Proxy?
Protects against fetching arbitrary packages in pace of legitimate packages, by not allowing an upstream request to the public registries
Describe a threat model that regards Proxies
An attacker publishes a malicious package to a public registry, with the same name but higher version as an existing package in the private registry.
If a system omits the setting for only using internal registries, the package manager could default to public registry and download the malicious package.
What is mirroring (threat model and countermeasure)?
Threat model: Package manager may download malicious packages from public registries
Countermeasure:
Organizations create private package feeds, to mitigate risk of pulling dependencies from public sources
Give an example of mirroring countermeasures?
Using Maven
Specify the sources you want to download artifacts from
What is Git commit signing used for?
Transparency and validity
How does Git commit signing work?
Generate public-private key
Use private to sign commit
Use public keys to verify the author of a commit
Name threat model and countermeasures of GitHub actions
Threat: Attack can modify build process
Counter:
- precise and repeatable build steps
- You know exactly what was running during build
- Ensure each build start in new environment
What is scope used for?
Validity and separation
What is the threat model and countermeasure of scope?
Threat: Dependency confusion risk, when internal package name is claimed by attacker on public registry
Counter:
- Restricting package namespace to organization or user using scope
- Can associate scopes with registry, ensuring all packages requests are routed to that registry
Give an example of how scope is used
@somescope/packageName
What is Containerization used for?
Separation
Name the threat model and countermeasure of containerization
Threat: Attacker can propagate attack or consequences via unintended connections
Counter:
- Separate internal operations, artifacts and actors
What is version locking used for?
Validity and separation
Name the threat model and countermeasure of version locking
Threat: Malicious changes upstream may propagate downstream
Counter:
- Version locking ensure a link includes a particular version of an upstream component
- Relies on actors accurately setting and managing version numbers
How should supply chain security move forways?
Most approaches do now focus on managing artifacts
More approaches are needed to focus on operations and actors
Name the 3 countermeasure strategies
Transparency
Validity
Separation
