An Acronym Free Introduction to Software Supply Chain Security - Joshua Lock, Verizon

An Acronym Free Introduction to Software Supply Chain Security - Joshua Lock, Verizon

Good afternoon, everybody. There are an awful lot of talks here, so thank you for taking the time to attend mine. My name is Joshua Lock, and I aim to provide an acronym-free introduction to software supply chain security. As governments and organizations around the world increasingly focus on this important subject, I wanted to give a cloud-native, novice-level introduction to the problems and ways to address them, avoiding the usual acronym soup that comes with any technical domain.

I am a software engineer in Verizon's Open Source Program Office, and I will start with an introduction to software supply chains and their security. You might wonder, what is a software supply chain? It encompasses all the steps involved in producing a piece of software—from writing the code, pushing it to a revision control system, automating the build process, pulling in dependencies, producing an artifact, and finally, sending it somewhere to be run. This basic model already hints at the complexities underneath, especially considering the interconnectedness of dependencies and the potential security risks at every step.

Most people agree that software supply chain security is about protecting against unintended software modifications. Think of it as tamper-resistant tape on medication bottles; you either prevent tampering or know immediately if something has been tampered with.

Real-World Compromises

Let's take a tour of some real-world examples of compromised software supply chains.

1. Event-Stream NPM Package Compromise (2018): A well-meaning maintainer inadvertently handed off control to another contributor, who introduced a malicious dependency designed to steal cryptocurrency.

2. Webmin Project (2018-2019): For about 18 months, a build machine under a contributor's desk was compromised. The attacker introduced changes that allowed them to control numerous servers running Webmin.

3. SolarWinds Orion (2020): This high-profile compromise involved inserting malicious code at build-time, affecting Fortune 500 companies and federal governments.

4. CodeCov Bash Uploader (2021): A compromised docker image script was able to record sensitive information, such as environment variables, for about three months.

5. Rivian Infotainment System (2021): An accidental incorrect certificate release bricked the infotainment systems of Rivian's electric vehicles.

Best Practices for Securing the Software Supply Chain

1. Practice Good Hygiene

Your software should be as predictable as a fast food franchise. Good hygiene includes:

• Secrets Management: Use strong practices like password policies, multi-factor authentication, and automated secret rotation.
• Infrastructure Hygiene: Automate infrastructure deployment, use principles of least privilege, and ensure frequent updates.
• Development Tools: Keep them updated and secure.

2. Understand Your Ingredients

Know where your software components come from:

• Reputable Sources: Use well-known package repositories and trusted sources.
• Caching Dependencies: Store dependencies locally to minimize internet fetches during build processes.
• Keep Dependencies Fresh: Regularly update your dependencies, balancing between stability and security.

3. Principle of Minimalism

Only use what you need. Applying The Principle of Minimalism means reduced attack surfaces, better focus for remediation, and cost benefits in storage and transfer.

4. Consistency

Develop a consistent, repeatable build and deployment process:

• Automated Builds: Have control steps and repeatable builds.
• Rebuildable and Reproducible Builds: Aim to reproduce exact binaries for high security and debuggability, but it’s a challenging effort.

Resources

To explore further, check out projects such as in-toto and The Update Framework (TUF), which are discussed in several talks at this conference. Other helpful projects are SLSSA, Sigstore, and the Secure Supply Chain Consumption Framework.

Final Thoughts

Software supply chain security is a broad and complex subject. It’s not simply about being "secure" or "insecure" but making incremental improvements over time. Each small step can significantly enhance your security posture. Remember, you’ve got this!

Keywords

1. Software Supply Chain
2. Security
3. Dependencies
4. Automation
5. Tampering
6. Reproducible Builds
7. Consistency
8. Principle of Minimalism

FAQ

Q1: What is a software supply chain? A: It encompasses all the steps involved in producing a piece of software, from writing code to deploying the final product.

Q2: What are some real-world examples of software supply chain compromises? A: Examples include the Event-Stream npm package compromise, the Webmin project compromise, SolarWinds Orion, CodeCov bash uploader incident, and Rivian infotainment system issue.

Q3: How can you secure your software supply chain? A: Practice good hygiene, understand your software dependencies, apply the principle of minimalism, and ensure consistency in your build and deployment processes.

Q4: What is meant by 'Principle of Minimalism' in software supply chain security? A: It means using only what is necessary in your software builds, reducing the attack surface and maintenance overhead.

Q5: How important is consistency in securing the software supply chain? A: Consistency is crucial. A repeatable, controlled build process helps prevent tampering, facilitates debugging, and ensures better security.

Q6: Are there resources to help me further secure my software supply chain? A: Yes, projects like in-toto, The Update Framework (TUF), SLSSA, Sigstore, and the Secure Supply Chain Consumption Framework offer tools and guidelines for better security practices.