PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2022-10-25T23:54:00+00:00

Episode 535: Dan Lorenc on Supply Chain Attacks

Dan Lorenc, CEO of Chainguard, a software supply chain security company, joins SE Radio editor Robert Blumen to talk about software supply chain attacks. They start with a review of software supply chain basics; how outputs become inputs of someone else's supply chain; techniques for attacking the supply chain, including compromising the compilers, injecting code into installers, dependency confusion, and typo squatting. They also consider Ken Thompson's paper on injecting a backdoor into the C compiler. The episode then considers some well-known supply chain attacks: researcher Alex Birsan's dependency confusion attack; the log4shell attack on the Java Virtual Machine; the pervasiveness of compilers and interpreters where you don't expect them; the SolarWinds attack on a network security product; and CodeCov compromising the installer with code to insert exfiltration of environment variables into the installer. The conversation ends with some lessons learned, including how to protect your supply chain and the challenge of dependencies with modern languages.

Dan Lorenc, CEO of Chainguard, a software supply chain security company, joins SE Radio editor Robert Blumen to talk about software supply chain attacks. They start with a review of software supply chain basics; how outputs become inputs of someone else’s supply chain; techniques for attacking the supply chain, including compromising the compilers, injecting code into installers, dependency confusion, and typo squatting. They also consider Ken Thompson’s paper on injecting a backdoor into the C compiler. The episode then considers some well-known supply chain attacks: researcher Alex Birsan’s dependency confusion attack; the log4shell attack on the Java Virtual Machine; the pervasiveness of compilers and interpreters where you don’t expect them; the SolarWinds attack on a network security product; and CodeCov compromising the installer with code to insert exfiltration of environment variables into the installer. The conversation ends with some lessons learned, including how to protect your supply chain and the challenge of dependencies with modern languages.

Transcript

Transcript brought to you by IEEE Software magazine.

This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.

Robert Blumen 00:00:17 For Software Engineering Radio, this is Robert Blumen. Today I have with me Dan Lorenc. Dan is the founder and CEO of Chainguard, a startup in the software supply chain security area. Prior to founding Chainguard, Dan was a software engineer at Google, Discuss, and Microsoft. Dan, welcome to Software Engineering Radio.

Dan Lorenc 00:00:42 Thanks for having me.

Robert Blumen 00:00:43 Today, Dan and I will be discussing attacks on the software supply chain. We have some other content in this area, number 498 on CD, 338 on Jenkins, and several others on CD that you can see in the show notes. This episode will be all gloom and doom, but don’t despair, we will publish another one later this year about securing the software supply chain. There’s so much here to talk about. I wanted to do an entire episode on attacks. Dan, before we get started, is there anything else you’d like listeners to know about your background that I didn’t cover?

Dan Lorenc 00:01:25 No, that was a pretty good summary.

Robert Blumen 00:01:27 Okay. We have covered this before, but let’s do a brief review. When we’re talking about software supply chain, what are the main pieces?

Dan Lorenc 00:01:37 Yeah, so software supply chain is very similar to a physical one. It is all the other companies, people, individuals, communities responsible for taking all of the dependencies and other systems that you use to build your software; getting those to you, keeping them up to date, keeping them secure and letting you use them in the course of your development of your software. And then the downstream side of that as well. We’re all in this massive software supply chain together. Nobody is building code on an island. Nobody’s building code by themselves. So most people working on software are somewhere in the middle of that chain. So all of your consumers, all of those people taking and using your software in their day to day life. That’s how I think of the software supply chain.

Robert Blumen 00:02:16 If I understand, then there are parts that you run, like perhaps a build server. There are dependencies that you pull in and then if you publish software or an API, you become part of the supply chain for other people. Did I get that right?

Dan Lorenc 00:02:31 Yep. Yeah, that’s a great summary.

Robert Blumen 00:02:33 What is the attack surface of the supply chain?

Dan Lorenc 00:02:37 It is massive, right? So it’s all those groups, all those systems, all those companies, all those build servers, all those organizations involved in getting you your code that you use, getting you your dependencies and your libraries and your services. Any one of them can be attacked. So the attack surface is absolutely massive.

Robert Blumen 00:02:53 As I’ve been reading about this, it seems that certain things tend to get mentioned a lot, one of them being Jenkins and another one being NPM. Am I making somewhat of a biased or disproportionate reading with the literature, or are those really the points that people are attacking the most?

Dan Lorenc 00:03:15 No, I think you see that in the news the most because they’re the most widespread and most ubiquitous systems. They’re in different spots in the software life cycle and the software supply chain completely, but they’re both incredibly common and you’ll find them pretty much any organization developing software out there today. Jenkins is an automation server that is commonly used for CI/CD tasks. So you click a button, it checks out your code runs, tests, builds it, publishes it, that kind of thing. NPM is a package manager for JavaScript, and it’s kind of used for both NodeJS and front-end JavaScript, that people do on websites. So even if you have as a company you’re doing Java or Go or some other type of backend, you almost always have some front end website somewhere. So you’ve got JavaScript even if you don’t use that as your backend language. So that’s why NPM is one of the most widely used and most common open-source package managers. So because of that, I think that’s why we see these two in most of the headlines.

Robert Blumen 00:04:07 I found a report from Sonatype called “state of the software supply chain.” According to this report, software supply chain attacks have increased 650% and are having a severe impact on business operations. Some attacks reportedly have caused billions of dollars of damage. Why have attackers turned their attention to the supply chain in recent years?

Dan Lorenc 00:04:32 Yeah, I think there’s no clear commonly accepted answer here. I have my pet theory and some folks have shared it, but these aren’t new, right? Sonotype is picking up these trends and the trends are new, but software supply chain attacks aren’t very new. They go all the way back to the early eighties, actually. The first one that I found was from Ken Thompson’s famous paper “Reflections on Trusting Trust,” which we can talk about more later if you want. But we’ve known about these for going on 40 years, but what we are seeing is attackers actually targeting them. The best answer I’ve heard for why now is a combination of a few factors, but the biggest one is that we’ve finally just gotten good enough at locking down and applying basic security hygiene everywhere else. Attackers are lazy on purpose. They take the easiest way in when they want to target an organization.

Dan Lorenc 00:05:16 Supply chain attacks haven’t gotten much easier. They’ve gotten a little bit easier just in with the rise of open source and the more interconnected web of services that we’re using today, but not markedly be easier, but they’ve become much easier in comparison to all of the other methods. We’re finally using SSL everywhere across the internet. If you look back 5 or 10 years, we weren’t quite at that level of ubiquity. MFA is finally still taking off even though it’s been slow and somewhat controversial in some circles. Strong password hygiene, all of these things used to be much easier ways to attack with basic fishing campaigns. But as we’ve gotten good enough at preventing these other methods of intrusion, the supply chain becomes more attractive relatively.

Robert Blumen 00:05:55 Is it possible to generalize what are the intentions of the attackers, or is supply chain simply a mode of attack and the usual reasons may not have changed?

[...]

Original source

Reply