Published on

Research talks: Software supply chain security

Research Talks: Software Supply Chain Security

Introduction

Hello and welcome to the Microsoft Research Summit 2021. This is our talk on the state and future of software supply chain security. My name is Adrian Diglio, and I'm joined by my colleague Michael Scoveta. First, a quick disclaimer: This talk and accompanying slides are for general information purposes only and are not intended to constitute legal and professional advice.

Meet the Speakers

Adrian Diglio

  • Program Manager at Microsoft leading the central strategy to secure our software supply chain
  • Experience: Panelist discussions with industry peers (US Department of Energy, North Carolina State University)
  • Education: Bachelor's from Cal Poly, Master's from SDSU, and industry certifications

Michael Scoveta

  • Principal at Microsoft leading an open-source security team
  • Goal: Ensure Microsoft is protected from vulnerable or dangerous open-source software
  • Leads a workgroup within the Open Source Security Foundation
  • Education: Master's from Cornell in computer science

Topics Covered

  1. What software supply chains are and why we need to secure them (by Mike Scoveta)
  2. Microsoft’s approach to managing the risks (by Adrian Diglio)

Understanding Software Supply Chains and Their Importance

Modern Software Composition

  • Modern software rarely built in isolation; relies on various components like libraries, services, hardware.
  • Software supply chain: Collection and interaction of everything that goes into delivering your product/service.
  • Includes third-party vendors, cloud service providers, source code repositories, developer laptops, distribution channels.

Seismic Shift in the Past 15-20 Years

  • Increase in reliance on open-source software. Average application depends on 500+ open-source libraries.
  • Increased complexity with multiple dependencies and more parties involved.
  • Adversary advantages: Ability to analyze and mount attacks with high payoffs.

Recent Breaches and Federal Movements

  • Targeting critical systems (e.g., Florida’s water system, Colonial Pipeline).
  • High-profile breaches like SolarWinds targeting build systems.
  • Federal executive orders and legislation aiming to mitigate risks.

Open Source Software Risks

  • Risk categories: Local development, package repository, organizational use, and distribution.
  • Notable attacks: Co-maintainer becoming an attacker, compromised credentials, regular vulnerabilities.
  • Complexity increases as each dependency adds potential risk, impacting the entire service/product.

Microsoft’s Approach to Software Supply Chain Security

Segmenting the Problem and Strategy

  • Focus on: Build environment, OSS supply chain, build tool supply chain, DevOps platform, developer workstations, upstream security, and more.
  • Highlighting critical threats, such as attacks on build machines and ransomware.

Build Environment Security

  • Secure build machines with secure boot capabilities.
  • Ephemeral and isolated build environments to prevent persistence and network-based attacks.
  • Advanced security monitoring and code integrity policies.

OSS Supply Chain Security

  • Eight-practice program: Local copy, inventory, scanning, updating, auditing, enforcing policies, private fixes.
  • Adopting maturity model for incremental improvements.
  • Challenges with rebuilding from source due to non-determinism.

Build Tool Supply Chain

  • Reducing attackable surface by hosting internal stores for binaries.
  • Measuring attack surface and implementing secure practices over time.

DevOps Platform and Developer Workstation Security

  • Protecting credentials and eliminating hard-coded secrets.
  • Ensuring secure configurations, two-person reviews, just-in-time permissions.
  • Threat modeling for the build environment.

Community Engagement and Open Source Security Foundation

  • Assurance of free-from-vulnerabilities software.
  • Open Source Security Foundation: Industry-wide initiative to enhance open-source security.
  • Encouraging community participation.

Evidence Store and Supply Chain Integrity

  • SKIM (Supply Chain Integrity Model): Capturing policy and evidence in an immutable ledger.
  • SBOMs (Software Bill of Materials): Providing unique software identifiers for integrity validation.

Future Vision for Software Supply Chain Security

  • Conveying trust through verifiable, trusted build environments and dependencies.
  • Recording evidence as proof for validation in a non-repudiable evidence store.

Keywords

  • Supply Chain Security
  • Open Source Software
  • Build Environment
  • DevOps Platform
  • Ephemeral Builds
  • Secure Boot
  • Software Integrity
  • SKIM
  • SBOM

FAQ

1. What is a software supply chain?

  • A software supply chain is the collection and interaction of everything that goes into delivering your software product or service. It includes components like third-party libraries, external services, hardware, source code repositories, and distribution channels.

2. Why is securing the software supply chain important?

  • Software supply chains are critical due to their complexity and reliance on multiple dependencies. Attacks on the supply chain can lead to significant damage, including financial losses and compromised critical systems.

3. What strategies is Microsoft using to secure the software supply chain?

  • Microsoft’s strategy includes securing the build environment, improving OSS supply chain practices, minimizing the attack surface for build tools, ensuring DevOps platform security, protecting developer workstations, and engaging in community initiatives like the Open Source Security Foundation.

4. What are some common threats to the software supply chain?

  • Common threats include compromised dependencies, vulnerability exploitation, co-maintainer attacks, compromised credentials, and leveraging open-source components with vulnerabilities or backdoors.

5. What is SKIM and how does it help in supply chain integrity?

  • SKIM (Supply Chain Integrity Model) is an open specification that captures policy and evidence to provide proof of compliance in a single, immutable ledger. It helps ensure software meets integrity standards and can be validated.

6. How can the community contribute to software supply chain security?

  • The community can participate in initiatives like the Open Source Security Foundation, contribute to open-source projects by identifying and fixing vulnerabilities, and adopt best practices for secure software development.

7. What role do SBOMs play in supply chain security?

  • SBOMs (Software Bill of Materials) provide unique identifiers for software components, aiding in transparency and integrity validation across the supply chain.

Read More