Software Supply Chain Security

About

Software supply chain attacks are not a new attack vector - but one that we've seen increasing use of as many prominent organizations have created sophisticated security practices internally. When this happens, attackers look for other weaknesses - and more often than not, those weak points are often in the supply chains those organizations use.

On this page, I want to collect articles and details about recent and novel supply chain style attacks, all of which help inform a talk on supply chain security that I'm constantly revising.

On this page

• What is a Software Supply Chain?
• Futher Reading
  • From me 😃
  • From others
• Software Bill of Materials
• List of Supply Chain Attacks
  • Detailed list from the CNCF

What is a Software Supply Chain?

The supply chain is much broader than many give it credit for. When I say "software supply chain," what's the first thing that comes to mind? Often that would the direct dependencies of the code itself - open source dependencies brought into the code. And while open-source dependencies are an essential part of the software supply chain, they are far from the only point to consider when thinking about supply chain security.

Other parts of your supply chain include the code you write, any 3rd party libraries you're using (not just the open sources ones), the dependencies you inherit by proxy (the dependencies of your dependencies), your DevOps tools and processers. Any tools and plugins those tools use, any vendor code, and any dependencies that those vendors have.

Futher Reading

Me

• [My talk on Supply Chain security](https://cfps.dev/u/brendan/309638467550184004 that I've given a number of iterations of, including:
  • FOSDEM 2021
  • GDIT Emerge
  • DockerCon 2021.

Other People

• Johnathan Hunt, VP of Security at GitLab 3 best practices for better supply chain security
• Read Cindy Blake's article on how your DevOps platform impacts supply chain security.

Software Bill of Materials (SBOM)

• What is an SBOM, and why should you Care??
• US National Telecommunications and Information Administration's resources on Software Bill of Materials

Supply Chain Attacks

Below are some supply chain attacks I've done some amount of research on in the past. You can also find a complete open list of supply chain attacks and breaches on the CNCF TAG Security repo.

Solarwinds/Sunburst

Attacking the DevOps environment - in this case the CI/CD systems which are very poorly secured - allows attackers to inject and sign malicious software.

• U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise
• Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor

Ding ding ding. The CI/CD box is always:

* Manually configured
* Able to touch production
* Accessed by a whole mess of people
* Scary to patch

More on this after the insurrection. https://t.co/YRjPx1WMqH

— Corey Quinn (@QuinnyPig) January 6, 2021

Birsan Dependency Bug Bounties

Hacking Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber with open source dependancy man-in-the-middle style attacks.

• Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
• Researcher hacks over 35 tech firms in novel supply chain attack

PHP source code attack

Inserting backdoors into 78% of the internet by attacking the source code management system.

• PHP's Git server hacked to add backdoors to PHP source code

Network-devices as a vector to homes & businesses

• Whistleblower: Ubiquiti Breach “Catastrophic”

Unintentional supply chain disruptions

Undiscovered open source vulnerabilities

• Node.js: npm/netmask: undiscovered for 9 years

Pulling popular open source libraries unexpectedly

• Ruby on Rails: mimemagic gem license issue
• Node.js: leftpad

Comments