Aqua Security's recent report highlights the increasing threat of supply chain attacks. According to the report, supply chain attacks grew by 300% from 2020 to 2021 while the level of security across software development environments remained low. Google and the Cloud Native Computing Foundation (CNCF) have recently released papers detailing approaches to improving the security of the supply chain.
The report was conducted by Argon Security, a recent acquisition of Aqua Security, over a period of six months examining a number of customers' practices and supply chains. The study identified three primary areas of risk that companies should focus on to improve the security of the supply chain.
The first area is usage of vulnerable packages. The report notes the prevalent usage of open source code in almost all commercial software. This code can have its own vulnerabilities and keeping it up to date requires time and effort. They note two common attacks that leverage vulnerable packages: exploiting existing vulnerabilities and package poisoning. The recent Log4j vulnerabilities are an example of the former and the compromise of the ua-parser.js package is an example of poisoning.
The second area where attackers can focus is compromised pipeline tools. The Codecov supply chain breach is an example of this. In that attack the Codecov bash uploader was compromised via a Docker image. Over a period of a couple of months, the attackers were able to extract environment variables from the CI process exposing sensitive data of Codecov's customers.
The final area they note relates to code and artifact integrity. This includes the uploading, malicious or not, of bad or sensitive code to source code repositories. The team found a number of issues within the surveyed customer environments including container image vulnerabilities, sensitive data published to code repositories, and code quality and security issues.
The study notes that addressing these challenges is hampered by the lack of resources on most security and software teams. As Eran Orzel, chief revenue officer at Argon Security notes:
Most AppSec teams lack the resources, budget, and knowledge to sufficiently address the risk of supply chain attacks. This is further complicated by the need for cooperation from development and DevOps teams.
Both Google and the Cloud Native Computing Foundation (CNCF) have released guidelines to help improve the integrity of software packages. Google's Supply Chain Levels for Software Artifacts (SLSA) framework builds upon their internal Binary Authorization for Borg framework. It declares that all software artifacts should be non-uniteral and auditable. Non-uniteral implies that no single person can modify the artifact within the chain without review and approval from at least one other individual. Having the artifacts be auditable, ideally in an automated fashion, aids investigations if an attack is suspected.
The framework further defines four security levels with SLSA 4 representing the ideal end state. SLSA 1 requires build processes to be fully scripted and to generate provenance. Provenance is metadata about how the artifact was built including information on ownership, sources, dependencies, and the build process used. Google released a proof of concept GitHub Action that demonstrates producing provenance in compliance with SLSA 1
SLSA 2 moves up a level by requiring the use of version control and a hosted build service that is generating authenticated provenance. SLSA 3 adds a requirement for the source and build platforms to be sufficiently auditable, both for the source of the code and the integrity of the provenance.
The final state, SLSA 4 requires two person reviews of all changes and a hermetic, reproducible build process. Kim Lewandowski states that "two-person review is an industry best practice for catching mistakes and deterring bad behavior". Hermetic builds are self contained and only rely on services internal to the build environment. This includes known versions of build tools and other dependencies, such as code libraries. Having the builds be reproducible aids in auditability of the supply chain.
The CNCF paper, Software Supply Chain Security Best Practices, defines four key principles for supply chain security: trust, automation, clarity, and mutual authentication. Each step of the process must be trustworthy using cryptographic attestation and verification. The use of automation can reduce both human error and configuration drift. The build processes and environment should be clearly defined and scoped accordingly. Mutual authentication requires that all entities in the supply chain are using hardened authentication mechanisms with regular key rotation.
For more details on the report's findings, readers are directed to the Aqua Security Supply Chain Attacks study.