Exhibitor: Benchmarking the Security of Your Software Supply Chain - Eylam Milner & Mor Weinberger

Introduction

Welcome to the exhibitor track! I’m Hitesh Babani, a volunteer in the OAS Community, and I’ll be moderating this session. Over the next 45 minutes, we’ll be joined by Eylam Milner and Mor Weinberger, who will present on the topic of "Benchmarking the Security of Your Software Supply Chain."

Please feel free to submit any questions throughout the session using the Q&A tab located to the right of this video in the Hula platform. We will cover these questions in the last ten minutes. Note that the chat function in Zoom is disabled for attendees, but you can still leave comments in the Hula platform.

Speakers’ Introduction

Eylam Milner

Eylam Milner is the Co-Founder and CTO of Argon Security, which is now part of Aqua Security. His experience includes enabling DevOps and security teams to protect software delivery pipelines against supply chain attacks, including misconfigurations and vulnerabilities. Before founding Argon, Eylam served for seven years in the Israeli military as a security team lead and has consulted for various startups.

Mor Weinberger

Mor Weinberger, a Senior Software Engineer at Argon, has extensive experience analyzing threats targeting cloud-native environments. He has previously worked at Microsoft for over four years on cloud security threat products and is excited to share insights about securing software supply chains today.

Overview of the Software Supply Chain

In this session, Eylam and Mor will provide a comprehensive overview of the software supply chain. The supply chain consists of five different layers:

1. Source Code: Involves working collaboratively with teams on the codebase.
2. Dependencies: Any external or internal code libraries/repositories brought into your development process.
3. Build Pipeline: Where CI/CD pipelines take source code and compile it into runnable artifacts.
4. Artifact Management: The phases of managing different versions of your microservices until they are ready for deployment.
5. Deployment: The transition to production environments.

DevOps processes have undergone rapid changes in recent years, making it imperative to understand challenges and threats within the software supply chain.

Recent Attacks on Software Supply Chains

Eylam and Mor elaborated on several significant supply chain attacks that highlight the importance of securing software delivery pipelines:

• GitLab Leakage: Around 600 private repositories were leaked due to configuration errors.
• CI Poisoning: Attackers gained access to CI environments, which can potentially lead to widespread misuse.
• Dependency Confusion: Attackers exploited package managers, easily pulling malicious code into private environments.
• SolarWinds Incident: A notable attack involving build-time code injection, impacting thousands of customers globally.
• Protestware: Malicious modifications by open-source project maintainers as a form of activism.

Mor added insights into how even maintainers of popular open-source projects expose consumers to risks, citing specific examples of malicious coding practices under political motives.

Notable Attacks and Live Demonstrations

The presentation also included real-world examples of sophisticated attacks and live demonstrations of tools that can be used to analyze threat vectors effectively. An open-source project called Chain Bench is being developed to automate checks across the software supply chain and will provide comprehensive security audits.

The CIS Benchmark is highlighted as a valuable resource, offering over 100 guidelines for organizations to secure their software supply chains effectively. Key audit sections include:

• Source Code Management
• Build Process Integrity
• Dependency and Artifact Management
• Deployment Security

Help From Chain Bench

As a solution to help organizations assess their software supply chains, Chain Bench aims to provide automated cross-checks and visibility into security postures. It will officially launch in two weeks at the Open Source Summit in Austin.

Conclusion

In closing, Eylam and Mor emphasized that while securing software supply chains can be complex due to various attack vectors, it doesn’t have to be insurmountable. With tools like Chain Bench and adherence to frameworks such as the CIS Benchmark, organizations can effectively protect their software delivery processes and mitigate risks.

Keyword: Software Supply Chain, Security, DevOps, CI/CD, Argon Security, Chain Bench, Vulnerabilities, Attacks, Open Source, CIS Benchmark.

FAQ

1. Is Chain Bench available already, and how can I get it?

   • Chain Bench is currently in development and aims to be launched in two weeks at the Open Source Summit in Austin. Check their GitHub for updates.

2. How does Chain Bench compare to the OpenSSF project scorecard?

   • While both aim to enhance security in the software supply chain, Chain Bench focuses on all types of projects from code to deployment, whereas Scorecard is primarily concerned with open-source projects hosted on platforms like GitHub.

3. What is CIS Benchmark, and how is it related to other frameworks like NIST?

   • The CIS Benchmark provides detailed instructions for securing software supply chains, while organizations like NIST also provide guidelines but might have broader scopes. They work collaboratively on some initiatives.

4. How can I provide evidence that my actions are effective?

   • Chain Bench runs a series of defined checks, providing reports and updates on vulnerabilities and compliance status, allowing you to demonstrate ongoing improvements in your security posture.