This Week in Software Supply Chain Security: August 22 - August 28, 2024
It's the end of summer vacations!
Welcome to This Week in Supply Chain Security, your essential weekly resource for the latest developments in software supply chain security. Each week, we bring you critical insights and updates to help you stay ahead in safeguarding your software supply chain. Brought to you by the open source security experts at Stacklok.
🚨 Recent Security Incidents
A selection of the most impactful security breaches or threats in supply chains
Malicious Package Steals Code From One Package, Stars From Another
Stacklok (my employer) found an interesting malware package in PyPI recently: a package which largely lifted its contents and API from the popular requests
library, but reported being built from a different popular GitHub library for driving web tests. After digging through some
💡 Free Tools and Tips
New open-source and free (as in beer) supply chain security tools
Dalec Aims To Reproducibly Build Containers
Microsoft has released a tool called dalec
which aims to support reproducibly building system packages and then containers from those packages. The tools support declarative YAML configuration which produces minimal, reproducible images with SBOMs, including support for Windows containers and Azure Linux 2 and 3. The underlying package RPMs / DEBs / EXEs can also be signed, though it doesn’t look to have signing of the generated images yet.
Docker Attempts to Gamify Fixing Those Vulnerabilities
Docker has added health scores to its Docker Scout supply chain security product. Docker Scout is free for individual use, though you’ll be expected to pay beyond 3 hosted repos. Also, the health scores are only visible within the organization, so you won’t get to see the scores for popular packages. For your own images, it will check a bunch of baseline artifact rules, including checking for SBOMs and outdated or vulnerable dependencies.
Attacking GitHub Actions
John Stawinski has published a map of GitHub Actions attacks based on the research he did with Adnan Khan and presented at Black Hat / Defcon. It’s not really “software”, as the repo contains just an SVG, but it’s a handy way to orient yourself if you’re trying to figure out what you need to protect in your Actions CI. I’d love to see similar diagrams for attacking other common CI platforms (Hello Jenkins!).
👀 Community and Public Sector Updates
Fresh SLSA
The OpenSSF SLSA working group has produced a draft v1.1 spec. For those not familiar with SLSA, this is a supply chain security framework which spells out most of the known supply chain attacks as well as mitigations for many of those attacks. Additionally, the SLSA spec defines a set of attestations which can be used to document and verify that a secure supply chain process was followed for a particular artifact. Finally, SLSA defines a common set of security levels from 0 to 3 for build processes. The v1.1 release candidate includes a number of clarifications to the attestations as well as the threat model.
GitLab Reports Security a Top Investment
GitLab’s 2024 Global DevSecOps Report (that’s a mouthful!) shows a shift in investment towards security (and AI), and away from cloud computing and devops. There are a number of interesting gems in the report, but the one that particularly struck me was that 40% of developers reported that at least half their code was from OSS libraries. Another was that teams are using more tools than last year, but are less happy about having even more tools to manage.
That’s all for this week! See you next Thursday…