Published on

AWS re:Invent 2024 - Beyond just observing, protecting your whole software supply chain (SEC406)

Introduction

Welcome to our session on "Beyond Just Observing: Protecting Your Whole Software Supply Chain." I'm Andrew Krug, and I lead the security advocacy team at Datadog. Today, I'm joined by my colleague Zach Allen, senior director of security research at Datadog. Together, we publish content on Datadog Security Labs.

Introduction to Datadog

To kick things off, I'll share a bit about Datadog, especially for those who may not be familiar with it. How many of you are Datadog customers? Great to see such a strong showing! What about our security customers? Excellent!

At Datadog, our mission is to unify DevOps and security teams, which have traditionally been siloed. We facilitate collaboration by providing shared visibility across code, runtime, and cloud—essentially breaking down those silos on a single platform. This enables teams to detect, protect, and respond to issues across their entire stack.

The Software Supply Chain Landscape

Today, we'll focus on the software supply chain security, a landscape that encompasses code, runtime, and cloud environments. To understand its evolution, let's wind the clock back to 1984 when Ken Thompson authored a notable paper discussing backdoored executables in shared computing environments.

Fast forward to today, and although much has changed, some challenges remain the same. For example, the complexity of managing multiple services and the combination of various languages in environments can make the software supply chain vulnerable. Furthermore, lessons learned about resilience over the years have left teams reluctant to update software versions that are functioning well.

The Linux Foundation's creation of the Open Source Security Foundation (OpenSSF) further illustrates the industry's recognition of this ongoing issue. Datadog is proud to participate in this collaborative effort aimed at securing the software supply chain.

Guard Dog Program Overview

One of the ways we at Datadog contribute is through identifying malicious software packages in ecosystems like Node.js and Python via our Guard Dog program. We started this initiative in 2022 and have published over 1,700 public malicious packages since then.

When it comes to identifying threats, we adopt a comprehensive threat model known as Salsa (Supply Chain Levels for Software Artifacts), which outlines how software is packaged and distributed in a system. This model allows us to analyze threat actors' tactics effectively.

The Attack Landscape

Threat actors have evolved over time and now utilize various techniques to infiltrate software supply chains. Some methods include:

  1. Creating Malicious Libraries - Threat actors can register for package managers with the intent of publishing malicious packages that trick developers into downloading them. For instance, we tracked an actor named MUT 8694, which published over 43 malicious packages on Python and npm.

  2. Compromising Popular Packages - Another method involves compromising popular packages to insert malicious code. A notable case involved the popular library UA-ParserJs, which was affected by malware.

  3. Recruiting Developers through Job Offers - North Korean threat actors have been known to offer fake job opportunities to developers. This technique has led to backdoored repositories used to gain unauthorized access.

  4. Exploiting Misconfigurations in Cloud Settings - Once the threat actors gain access to the environment, they might exploit misconfigurations, such as Docker and Kubernetes clusters, to create persistence and lateral movement.

Datadog's Protection Strategies

Identifying threats is one thing; defending against them is another. We utilize our Software Composition Analysis (SCA) product to uncover vulnerabilities in your code base and provide actionable intelligence.

A combination of SCA with runtime data allows teams to prioritize and act swiftly against vulnerabilities. Our unique solution correlates findings with runtime context data from our Application Performance Monitoring (APM) tool, ensuring that teams understand the urgency of acting on vulnerabilities based on their exposure.

One of our most notable features is exploit prevention through Runtime Application Self-Protection (RASP), which identifies and blocks exploits in real time. Beyond the application, we also analyze cloud configurations to minimize the blast radius of vulnerabilities.

Attack Path Feature

The Attack Path feature allows us to track the behaviors of potential threat actors through a concatenation of data, pinpointing their movement within a cloud environment. By observing multiple steps of an attack, we can address potential security incidents before they materialize.

Announcements and Open Source Project

We are excited to announce a new open-source initiative—the Datadog Software Supply Chain Firewall. This tool is designed to protect developers from integrating malicious packages early in the development process by wrapping npm and pip commands. Presently, it will reject 35,000 known malicious packages.

Conclusion and Q&A

Thank you for attending our session today and supporting our efforts to keep your software supply chain secure. We’re eager to continue a collaborative dialogue about securing environments, so please do visit us at our booth for further conversations.

Keywords

  • Datadog
  • Software Supply Chain
  • Security
  • Guard Dog
  • Open Source Security Foundation
  • Threat Actors
  • Package Management
  • Vulnerabilities
  • Exploit Prevention
  • Attack Path

FAQ

Q: What is the purpose of Datadog's Guard Dog program?
A: The Guard Dog program identifies and mitigates threats in software package ecosystems such as Node.js and Python.

Q: How can I protect my software supply chain?
A: Utilize tools like Datadog's Software Composition Analysis and implement exploit prevention mechanisms to safeguard your applications.

Q: What roles do threat actors play in compromising software supply chains?
A: Threat actors engage in creating malicious libraries, compromising popular packages, recruiting developers, and exploiting cloud misconfigurations.

Q: What is the significance of the new Software Supply Chain Firewall?
A: The Software Supply Chain Firewall aims to prevent the installation of malicious packages during development by blocking known threats.

Read More