Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Continuous Delivery Foundation / CD Summit 2022 - Detroit / 4 Nov 2022
Continuous Delivery Foundation / CD Summit 2022 - Detroit / 4 Nov 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Hacking the OSS Supply Chain - Stephen Chin, JFrog

Description

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Hacking the OSS Supply Chain - Stephen Chin, JFrog

Developers depend upon an ecosystem of open-source technologies that fuel innovation and decrease time to market. A typical business application is composed of 80% open source code, so what happens when the open source software supply chain gets hacked and thousands of enterprises are left exposed to potentially devastating security exploits. The SolarWinds hack and log4shell exploits are just the tip of the iceberg on a much larger security concern that spans the industry affecting all programming languages, platforms, and cloud services. In this keynote we will expose security holes and exploits in the open source ecosystem as well as talk about Pyrsia, an OSS project that aims to secure the open source software supply chain at a fundamental level.

A

I want to talk a little bit about a project which I founded and which we're bringing to the CD Foundation, but first I want to kind of back up and talk about. Why do we actually need more security, software and, and how does this affect the sort of systems which we all build so I?

A

Think if you're, if you're working in a technology company you, you know that over 80 percent of the software which most big companies use, is open source software, so you're, depending upon open source libraries you're pulling in dependencies from different Central repositories? And this accelerates development.

A

It helps you to um build faster and to contribute back, but it also introduces a certain amount of risk when you have zero day attacks when you have security, exploits and other things which are coming and I think if you weren't already popular for being a software developer or for working in the technology industry. Now your um your grandma, your parents, everyone we'll we'll hear about you in the news with the latest incident, whether it's the log for J attack the solarwinds exploit, which kind of made headlines this Pro. This um introduced.

A

A whole bunch of legislation from the government, such as the Biden administration's new security mandates, um there's a new H.R 7900 bill, which just recently came out, which requires you to secure a software and provide that there's. No security, vulnerabilities and software you're selling to the government agencies, and um you know even incidents like log for J or log for Shell impact, our industry, so who had to patch a production system last um beginning of last year.

A

Okay, so quite a number of folks um either you or your teams who are doing it, and um these are the things which, if on the are really just the tip of the iceberg for what's happening with security exploits so how many folks use software from one of these areas: npm, Pi, Pi? Okay, if you're not raising your hand, you're, not a developer, and um we, we trust all of these um Central repositories for where we get our information.

A

But there are a lot of vulnerabilities which they expose us to, and one of the vulnerabilities which came out is the dependency confusion attack. This was popularized by Alex person, but actually it was. It was known as a potential exploit for much much longer than this, and basically the way this exploit works is you, um let's say: you're you're a company, and you have your awesome.

A

Corporate live version 1.2 somebody else such as Alex publishes awesome corporate lib version, 6.6.6 in essential repository and um your vulnerable package manager goes and retrieves the latest version, and it goes- and it says: aha, actually, the latest versions out there in the public and I'm going to pull that version, and it's it's slightly worse than this as well. um So, in particular like um the way npm works, it also advertises when you, when you go to um npm and you request a package, it advertises what you're requesting.

A

So you can also intercept and you can figure out what the namespaces are for internal corporate libraries- and um you know this is this- is very bad stuff because you never want to be pulling your corporate libraries from an external source, and um you know bad stuff happens when the big red button gets pushed by the little kitties okay. So this is the dependency confusion, attack you it's easy to patch.

A

Now, if you're using a package manager which blocks you from the sort of attack like artifactory and um this netted Alex person um over 130k from various U.S corporations, so he um a whole bunch of company I think was Facebook Apple a whole bunch of different large corporations, where he basically did bug bounties simultaneously across dozens of organizations and collected it all for the same bug. So you would think this is an isolated incident.

A

But um just recently our security team found a whole bunch of packages published at 10 pm and they're, basically doing a um typo squatting attack on not putting the namespace prefixes on Azure. So if you're using any of the Azure libraries, so core tracing um Azure tools, Azure tests catalang, was also targeted.

A

If you use any of these libraries and if you forgot the namespace prefix or if you you know your ID shortened, it then you'd be pulling down a malicious Library instead of the library you're expecting to get, and they also cleverly did this where they set up a bunch of fake user accounts so that there was no correlation between the different libraries which were uploaded. So we reported this to npm.

A

All the vulnerable packages were taken down, but this is another example of um Bad actors taking advantage of poorly designed systems from a security perspective that we all rely on, and anybody want to take a guess at how many vulnerable packages our security team has found in npm to date, just round numbers throw something out in the back of the room, all right hundred thousand. That's that's high 2000! Okay, that's that's low!

A

um So the the actual number um and I confirmed this last week with our security research team is seventeen thousand vulnerable packages so far, and um it is quite easy um to upload things to npm to upload things to Pi Pi. They don't enforce namespaces, they don't enforce um kind of the common things which you would expect them to from a security perspective.

A

Okay, so hopefully we can do better, and uh one of the goals of Persia is to create a more secure way for us to distribute open source for us to secure the open source supply chain and to do that in a like collaborative Community, open source way. So this this project is designed so that it's um it was always intended to be donated to a foundation, so we're very, very glad that the continuous delivery Foundation is a very good home for us.

A

um The name Persia has Greek Origins. So it comes from the word fire pyro, and this was an ancient Greek system to communicate over mountaintops, um so they would have ten torches. They would line those up with the the grid for the alphabet and then be able to communicate letters, and when we think of Persia we want a system, that's very reliable.

A

Even Central repository is going down like outages and npm or Pi Pi or Maven Central. Those are like big denial of service attacks against the open source. Community. You can't do your builds. You can't get things running. We want something. That's secure that enforces proper namespaces that builds from source that provides security, guarantees that you can start to make so that you know the provenance of the artifacts which you're using and something that's open. That's fully open source solution. You can inspect the code. You can make sure that it it works.

A

Well, we'll talk later about the design of the code itself and the way we accomplish this is first of all, building it via peer-to-peer Network. So the Persia network is designed to be fully peer-to-peer.

A

um We also do builds where we're building, not just from one company or one company's infrastructure, we're doing, builds across multiple companies and we're verifying those builds against each other to ensure that um the basic guarantee you get from the Persia network is when you download something it will be the same artifact that you would get if you built it yourself from source code and I think this is a really important guarantee because it it avoids supply chain attacks like what happened to solarwinds, where, after you do a build or in the build process.

A

In their case, they had a um they got in the network for for the company and then they it doesn't matter what their CI technology was, but they're using team City and then, after the build, they injected the malicious code right before the signing process. So um if you built their code from Source, it's a that. In their case, it was proprietary, not open source, but for an open source project.

A

If you build from Source, you want to get exactly the same results um out of the network in which you're downloading, as if you built it yourself and um the last key component of this- is a mutable transaction ledger, so that you have that full traceability into um who who signed it, who's built it who's, verified the images and what you're building and then you can layer this into software, build materials and other Downstream security systems where you need to guarantee the code base.

A

So we're not doing this alone, there's a whole bunch of companies which are collaborating together, jfrog. So um you know, of course, I work at jfrog. We have great support from Docker who's, collaborating with on with us on this and one of the first ecosystems we're supporting is downloading Docker packages. Docker image files from the network deploy Hub Steve Taylor has done a lot of tremendous work on the projects.

A

Also chat with him, um Huawei and future way have been great as well so um David who's on the board has been supporting this and then um Eric Sedler from Oracle is our sponsor there.

A

So we have a lot of great companies who are contributing we're looking for more people who want to join the project to run an authorized node to help us with the build from source and to make sure that this is a a distributed open network where it has a lot of the ecosystem represented, and that makes it a very hard attack surface for attackers and hackers who want to compromise the network.

A

So um hopefully this taught you a little bit about where we're doing the Persia project, we'll get you excited to either try it to use it to download your packages um or to contribute, as a company and I'm very pleased to be able to open up the CD Summit and watch all the great presentations today. So thank you.