CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cloud.pdf
0 likes89 views
The document explores the security risks associated with the software supply chain in infrastructure as code (IaC), highlighting vulnerabilities exposed by incidents like the SolarWinds attack and Log4j exploit. It emphasizes the importance of using digital signatures, Software Bills of Materials (SBOM), and static analysis tools to mitigate risks while underscoring the need for vigilance in code review and dependency management. Key recommendations include using secure module practices, automated scanning, and ensuring the integrity and authenticity of software artifacts.
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cloud.pdf
- 1. Deep dive into the secure software supply chain on Infrastructure as Code (IaC)
- 2. Paolo Mainardi ➔ Co-founder and CTO @Sparkfabrik ➔ Linux Foundation Europe Advisory Member ➔ Blog: paolomainardi.com ➔ Podcast: Continuous Delivery ➔ linkedin.com/in/paolomainardi ➔ continuousdelivery.social/@paolomainardi ➔ [email protected] @paolomainardi
- 3. ➔ What is a Software Supply Chain ➔ IaC and OCI containers ➔ DEMO of Sigstore and Syft THE SESSION
- 4. “A supply chain is a network of individuals and companies who are involved in creating a product and delivering it to the consumer”
- 6. 2020 About 18,000 customers of SolarWinds installed the infected updates, including firms like Microsoft (Cisco, Intel, Deloitte) and top government US agencies like Pentagon, Homeland security, National Nuclear Security etc.
- 7. WHAT SOLARWINDS TAUGHT US ● Only install signed versions ❌ ● Update your software to the latest version ❌ ● Review source code ❌ ● Closed source is more secure by design ❌ CONVENTIONAL SECURITY ADVICE THAT DON’T APPLY HERE:
- 8. Log4j - Log4shell 2021 - CVE-2021-44228 https://www.lunasec.io/docs/blog/log4j-zero-day/
- 9. Timeline - Log4shell 2021 - CVE-2021-44228 ➔ 24th November: Issue discovered by Chen Zhaojun of the Alibaba Cloud Security Team, and reported to the Apache Software Foundation. ➔ 9th December: The RCE 0-day vulnerability was tweeted along with a POC posted on GitHub - RCE can be fired just by passing a certain string ◆ Hours later hundreds of companies and governments confirmed to be affected to Log4Shell attacks ➔ 10th December: Apache released an emergency security update and details on a critical vulnerability in Log4j - assigning a CVSS score of 10. ➔ Patches introduced other critical vulnerabilities: CVE-2021–45046 - CVE-2021–45105 - CVE-2021–4104 ➔ All applications using directly or indirectly log4j are affected as a result of a supply chain dependency
- 11. Source: Sonatype Log4j exploit update
- 12. https://www.sonatype.com/state-of-the-software-supply-chain/introduction
- 15. Keynote: The Next Steps in Software Supply Chain Security - Brandon Lum, Software Engineer, Google
- 17. Infrastructure as code ➔ Declarative describe your infrastructure as code ◆ K8S, VMs, networks, storage, users, permissions… ➔ Examples: ◆ Terraform - OpenTofu (HCL) ◆ Pulumi (Typescript, Python, GO, C#, Java, YAML) ◆ Crossplane (Kubernetes) (YAML)
- 18. Extensible with dependencies ● Terraform registry ○ Providers ○ Modules ● Crossplane Contrib ○ Providers ○ Compositions (XRD) ● Pulumi registry ○ Packages
- 20. TERRAFORM: PROVIDERS AND MODULES ● Providers are API implementation (GCP, AWS, DO etc…) and Modules are groups of resources. ● Terraform providers and modules used in your Terraform configuration have full access to the variables and Terraform state within a workspace
- 21. ● Modules don’t have any form of signature or checksum (tampering risk) ● Anyone can publish a module on public Terraform Registry from a Github repository (typosquatting risk) ● Modules versions are based on git tags (tampering risk) TERRAFORM: ANATOMY OF A MODULE AND SECURITY RISKS
- 22. What can a module do, other than create cloud resources?
- 23. TERRAFORM: MODULE MALICIOUS CODE ● Can run any form of custom code (local-exec, external) ● Can interact with the network using the http provider
- 24. Hey team, we have an urgency for a big marketing campaign just confirmed by the customer. We need to deploy a new static website on GCP and give access to an external team to let them update it when needed, can you help us? Please 🥺 BUSINESS REQUEST ON THURSDAY, DEADLINE IS FRIDAY
- 25. TERRAFORM: Find a module on Google: “gcp static website terraform” Step 1 - Found the module we need
- 26. �� TERRAFORM: Review the module’s code Step 2 - Quickly review the code
- 27. TERRAFORM: Get hacked Step 3 - Got hacked - Saturday morning call: we have been hacked, what happened ??
- 28. TERRAFORM: HOW TO DETECT A SERVICE ACCOUNT LEAK ?
- 29. TERRAFORM: DETECT SERVICE ACCOUNT LEAK WITH CHECKOV https://github.com/bridgecrewio/checkov
- 30. TERRAFORM: DETECT SERVICE ACCOUNT LEAK WITH CHECKOV
- 31. TERRAFORM: DETECT SERVICE ACCOUNT LEAK WITH CHECKOV
- 32. LESSON LEARNED
- 33. TERRAFORM: MODULE MALICIOUS CODE Do not blindly trust community modules Always use a static security scan tool like Checkhov or TFscan or Trivy Not enough alone, write your own policies.
- 34. DOCKER OCI IMAGES DEEP-DIVE
- 35. OCI stands for Open Container Initiative. OCI defines the specifications and standards for container technologies (Runtime, Image and Distribution spec). Container registries can be also used to store other kind of artifacts (like Helm charts) or just any arbitrary files.
- 36. What is the trusting model behind a Container Image, or in general, a digital artifact? How can i be sure that what I’m running is coming from a trusted source?
- 38. SECURE SOFTWARE SUPPLY CHAIN CHECKLIST ✅ Who built it, when and how (Signatures and Provenance Attestations) ✅ The list of things who made the artifact (SBOM - Software Bill of Material)
- 39. DIGITAL SIGNATURES 101 Integrity Ensure the data signed was not altered. Authenticity Attest that the data was sent by the signer. Non-repudiation Ensure that the signer cannot deny the authenticity of the signature.
- 40. Managing keys is hard Distribution, Storage, Compromise
- 41. DIGITAL SIGNATURES - SIGSTORE Sigstore is an OSS project under the umbrella of OpenSSF foundation. Fast growing community and mainstream adopted Used in Kubernetes and many other big vendors (Github, Rubygems, Arch Linux etc..)
- 42. DIGITAL SIGNATURES - SIGSTORE Keyless signing of any software artifact Signatures metadata are stored in a public tamper-resistant log Signatures are stored alongside images in OCI registry
- 43. SBOM: SOFTWARE BILL OF MATERIALS A list of “ingredients” for a software artifact Can be used for: ➔ Vulnerability scanning ➔ Software transparency ➔ License policy ➔ Find abandoned dependencies
- 44. SBOM FOR CONTAINERS Creating a SBOM for an artifact is a complex problem Dependencies live at different levels: ➔ Operating system (Windows, Debian, Alpine etc…) ➔ Operating system dependencies (RPM, DEB, APK, PKG…) ➔ Application dependencies (Composer, NPM, Rubygems, Pypi, etc…) ➔ Static binaries and their dependencies (Go, Rust etc…)
- 45. SBOM - Tools $ docker sbom
- 46. DEMO
- 47. Takeaways ➔ Software Supply Chain security must be taken very seriously ➔ IaC suffers from the same issues of the software projects ➔ Always use static analysis tools for like Checkov | Trivy | TFSec ➔ Sign your artifacts, Sigstore is nice and easy! ➔ Generate SBOM and scan for vulnerabilities Snyk | Grype | Trivy ➔ Automate your dependencies with DependaBot or RenovateBot
- 48. THANKS