Published on

The thing about the software supply chain

The Thing About the Software Supply Chain

Hello everyone, I'm Elam, CTO and co-founder of Argon. Today, I want to discuss the software supply chain. Our mission at Argon is to help companies release software securely by protecting each phase of the software supply chain.

Introduction to the Software Supply Chain

The term "software supply chain" is borrowed from the physical world, describing the route products or services take from factory composition to doorstep delivery. Similarly, in the software world, it includes five different phases:

  1. Source Code Management (SCM): Manages the source code.
  2. Materials: Includes both open-source and CI pipeline dependencies.
  3. Build Phase: Uses CI pipelines to compile raw source code into an artifact.
  4. Artifact Management: Manages the final form of artifacts through package registries.
  5. Deployment Phase: Deploys the final packages to the relevant environments, such as Kubernetes clusters in production.

Technological Changes and Surveys

The software deployment process has undergone significant changes in recent years, transitioning from quarterly releases with human intervention to fully automated, multiple daily releases.

Recent Technological Changes:

  • GitLab grew from a small company to a major player.
  • Google Cloud Build and GitHub Actions became prominent CI platforms.
  • Security challenges are mainly about people and processes rather than technology.

Survey Insights from Argon:

  • Over 90% of companies use full CI/CD automation for production.
  • Only 23% feel confident in these processes.
  • The main challenge is collaboration between DevOps and security teams.

Notable Attacks on the Software Supply Chain

High-profile attacks have highlighted vulnerabilities in the software supply chain:

  • Mercedes: Source code leakage through GitLab.
  • Codecov: Attackers modified the software affecting many of its customers.
  • Dependency Confusion: Tricked artifact managers to pull wrong packages.
  • SolarWinds: Attackers modified build-time code, affecting thousands of users.
  • Recent GitHub Action Vulnerabilities: Scope of token access leading to security breaches.

In-depth Look at Some Specific Attacks

GitHub Check Spelling Action

An improperly configured GitHub action allowed attackers to gain write access to repositories simply by submitting a carefully crafted pull request.

Workarounds suggested include:

  • Disabling risky workflows.
  • Only allowing verified GitHub actions.
  • Adjusting GitHub token's access level.

Codecov Breach

The attacker modified the codecov bash uploader script to exfiltrate environment variables, causing potential data leaks from CI environments.

Preventive Measures with Argon

Argon offers solutions to scan CI workflows, decompose instructions, and apply custom logic to avoid misconfigurations. For instance code injection and manual approval mechanisms to mitigate risks.

Conclusion

The software supply chain is a multi-phase process that requires comprehensive protection at each step. Argon's controls and unified security solution help safeguard the entire supply chain, ensuring secure releases.

"Any modern build orchestration is complex enough to have multiple code injection points." – GitHub Security Lab

For more discussion or inquiries, feel free to contact us.

Keywords

  • Software Supply Chain
  • Source Code Management
  • CI/CD Automation
  • Artifact Management
  • GitHub Actions
  • Argon Security
  • Dependency Confusion
  • Codecov Breach
  • CI Workflow Security

FAQs

Q1: What is the software supply chain? A: The software supply chain includes the processes from source code management, dependencies, build phases, artifact management, to deployment.

Q2: Why are there security challenges in CI/CD automation? A: The main challenges stem from the collaboration between DevOps and security teams, not just the technology and automation.

Q3: How did the Codecov breach happen? A: Attackers modified the codecov bash uploader script to exfiltrate environment variables from affected CI environments.

Q4: What are some workarounds for GitHub action vulnerabilities? A: Suggested workarounds include disabling risky workflows, only allowing verified actions, and adjusting GitHub token's access levels.

Q5: How does Argon help in securing the software supply chain? A: Argon provides solutions like the pipeline scanner to identify and mitigate misconfigurations and security risks in CI workflows.

Read More