Practical Examples to Protect your Software from Supply ...
Transcript of Practical Examples to Protect your Software from Supply ...
Practical Examples to Protect your Software from Supply Chain Threats
Bryan WhyteTechnical Sales ManagerSonatype
Shlomo BielakChief Technology OfficerBenchmark
Picture here
Picture here
The way we build/manage/run software has changed forever.
“Cease reliance on mass inspection to achieve quality. Eliminate the need for inspection on a mass basis by building quality into the product in the first place.”— W. EDWARDS DEMING
Picture here
The way we build/manage/run software has changed forever.
“Cease reliance on mass inspection to achieve quality. Eliminate the need for inspection on a mass basis by building quality into the product in the first place.”— W. EDWARDS DEMING
Open Source Components Source Code Containers Infrastructure as Code (IAC)
What Makes up a Software Supply Chain?
≈90% of modern apps are comprised of OSS.21,000+ new versions of OSS libraries are released per day.
1st Party Code.Expect release velocity to increase 208x
By 2022, more than 75% of global organizations will be running containerized applications in production.
By 2023, 60% of organizations will use infrastructure automation tools as part of their DevOps toolchains, improving deployment efficiency by 25%.
UPSTREAM
Used by devs in their applications - often just downloading is enough
Influence the tooling devs and ops use through poisoned components
Influence applications through tooling to poison your components
Applications get forked, reach clients, and beyond
The three points of supply chain attacks
Manufacture issues in dependencies that have wide adoptionFurther gets distributed to mirrors
MIDSTREAM / IN YOUR SDLCDOWNSTREAM
Exploit known issuesIntroduce malicious behavior to affect your clients
Accelerating Software Supply Chain Attacks 2014 - 2021
March 2015 – June 2019
Sonatype and Backstabber’s Collection Researchers record 216 typosquatting, malicious code injection and social engineering attacks on OSS projects
June 2016Researcher, Nikolai Tschacher, publishes thesis detailing 214 typosquatted packages tied to remote code execution on 17,000 computers.
2017
Equifax, Canada Revenue Agency, Canada Statistics, GMO Payment Gateway, Okinawa Power, Japan Post, India Post breached as a result of vulnerable Struts open source web application framework.
Breaches started occurring within 3 days of the vulnerability announcement.
2012 - 2014
OpenSSL “Heartbleed” security bug introduced into the OSS Project in 2012 is discovered by researchers in 2014. Over 800,000 TLS-enabled websites were left vulnerable.
July 2019 - June 2020
Sonatype and Backstabber’s Collection Researchers record 929 new attacks on OSS projects – a 430% increase over the previous four years.
Jul 2020
Sonatype’s automated malware detection system flags “security research” packages posted by Alex Birsan.
Sonatype add them to our data powering next-gen Nexus Intelligence products.
Jul 2020 - Feb 2021
Birsan continues to post the research packages, but Sonatype's automated malware detection system continues flagging them in an effort to protect our customers from any rogue behaviour.
Feb 9, 2021
Alex Birsan releases his research blog entitled “Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies”
Details released on 35 companies that used one or more of the ”research” OSS packages.
Sonatype and Microsoft also publish write-ups on the same day.
Feb 12, 2021
72 hours in 300+ copycats emerge
Feb 16, 2021
Dependency confusion copycat packages detection reaches 7000% above baseline from previous week.
4 YearsPre-Dawn 1 Year 8 months 1 Week
Dependency confusion timeline
Jul 2020
Sonatype’s automated malware detection system flags “security research” packages posted by Alex Birsan.
Sonatype add them to our data powering next-gen Nexus Intelligence products.
Jul 2020 – Feb 2021
Birsan continues to post the research packages, but Sonatype's automated malware detection system continues flagging them in an effort to protect our customers from any rogue behaviour.
Feb 9, 2021
Alex Birsan releases his research blog entitled “Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies”
Details released on 35 companies that used one or more of the ”research” OSS packages.
Sonatype and Microsoft also publish write-ups on the same day.
Feb 12, 2021
72 hours in 300+ copycats emerge
Feb 16, 2021
Dependency confusion copycat packages detection reaches 7000% above baseline from previous week.
8 months 1 Week 4 Weeks
Feb 22, 2021
News is widely circulated with 10 major tech publication mentions.
575 copycat packages identified as of 22 Feb
Mar 2, 2021
750+ copycat packages identified Known Malicious code seen
Mar 3, 2021
PyPI, npm flooded with5,000 copycats
Mar 9, 20218,000+ Copycats
Mar 15, 2021
10,000+ Copycats
Typosquatting & Brandjacking Malware
• Malicious npm components (discord.dll, discord.app, …) targeting Discord app developers
• Obfuscated code stole Discord token, browser files, user’s info
• Successor to “fallguys” brandjacking malware that had impersonatedFall Guys: Ultimate Knockout" game API
• Named after genuine package “discord.js” which gets over 280K weekly downloads.
• Tricks you into installing this counterfeit component
• Discovered by Sonatype, reported immediately, npm takes it down
• “twilio-npm” brandjacking malware named after popular cloud communications provider, Twilio
• Launched reverse shell at install – opened user to remote code execution attack
• Automatically discovered by Sonatype “Release Integrity” - npm takes it down
• Legitimate “twilio” package has > 40 million downloads.
UPSTREAM
Full-Spectrum Software Supply Chain Management
MIDSTREAM / IN YOUR SDLC DOWNSTREAMUPSTREAM
1. Open Source & Third PartySource the best open-source & third-party components.
2. First PartyBuild applications that are secure, reliable & performant from the start.
3. PackagingBundle your application with the most secure & compliant container available.
4. DeploymentEnsure the production environment you deploy is as secure & compliant as the application being deployed.
5. ProtectEnforce Data Loss Protection and prevent zero-day malware and network attacks, tunneling, and breaches.
Full-Spectrum Software Supply Chain Management
Nexus FirewallAutomatically stop risk and
detect threats from malicious supply chain attacks.
ü Open Source
MIDSTREAM / IN YOUR SDLC DOWNSTREAMUPSTREAM
Nexus Repository Manage libraries, artifacts, and release candidates across SDLC.
Dependency Confusion / Namespace Conflict Protection
Hosted Repository configured for Internally Developed Components ONLY
Firewall Policy set to Security-Namespace Conflict
Internally Developed Component “asap” is now only available from the npm-hosted
Full-Spectrum Software Supply Chain Management
Nexus FirewallAutomatically stop risk and
detect threats from malicious supply chain attacks.
IAC
Infrastructure as Code Pack for Lifecycle
Security and policy guidance for developers configuring IAC.
Nexus ContainerSecure and protect containers from dev
time to run time.
ü Infra as Code
ü Containerized Code
ü Source Code
ü Open Source
Sonatype LiftAccurate and actionable feedback deliveredduring code review (PR) where devs are 70Xmore likely to fix bugs.
MIDSTREAM / IN YOUR SDLC DOWNSTREAMUPSTREAM
Nexus Repository Manage libraries, artifacts, and release candidates across SDLC.
Nexus LifecycleContinuously identify risk, enforce policy, and remediate vulns across entire SDLC.
Nexus Container Threats Automatically Detected
SYN Flood ICMP Flood IP Teardrop
TCP Split Handshake Ping Death DNS Flood DDoS
Detect SSH 1, 2, or 3 Detect SSL TLS v1.0 SSL Heartbleed
HTTP Neg Content HTTP Smuggling HTTP Slowloris DDoS
TCP small window DNS Buffer Overflow MySQL Access deny
DNS Zone Transfer ICMP Tunneling DNS Null Type
SQL Injection Apache Struts RCE DNS Tunneling
TCP Small MSS Cipher Overflow
100% powered by Nexus Intelligence
IAC
Superior open source data service continuously refined by AI, machine learning, and 65 world class researchers.
q 97% proprietaryq 10M Unique vulnsq 1.4M Sonatype IDsq 12-hour fast tracks
q 8B filesq 67M componentsq 2M projectsq 41 ecosystems
ALP
ADP
Thank you!
sonatype.com
Subho MukherjeeSonatype Regional Director - [email protected]
Bryan WhyteSonatype Technical Sales [email protected]