Supply Chain Security
With increasing threats and regulations, supply chain security gets more important every day. I want to give an overview of the threats and mitigations that are out there — with a focus on open source solutions.
Threats
The software supply chain is a complex system with many interconnected components, creating a large and diverse attack surface. This complexity inherently leads to a wide variety of potential attack vectors, which is reflected in the diverse nature of software supply chain attacks observed today. The writers of the SLSA supply chain security standard provide a good overview in this image:
This also matches what we saw in some of the (in)famous attacks that happened over the years:
Solarwinds:
Solarwinds’ build platform got compromised and the attacker installed an implant, which injected a backdoor into the artefact during build.
CodeCov:
Attackers used leaked credentials from a Docker layer to upload a malicious package to the GCS bucket where users would download said package.
The CNCF has a list of past attacks which also illustrates the variety of possible attacks quite well.
Mitigations
The open source community has created some frameworks and best practices to address this looming threat.
SLSA (Supply Chain Levels for Software Artifacts)
SLSA, launched by Google in 2021, is a security framework designed to enhance the integrity of software supply chains. It’s structured into four levels, each offering progressively stronger security guarantees. Right now, SLSA secures the build process. However, version 1.2 is set to add levels and definitions to secure the source code as well.
At the heart of SLSA lies the concept of provenance, a verifiable record of the entire build process that provides customers with a clear interface for validation.
SLSA also has some drawbacks! The most obvious one is that it only covers a fraction of the supply chain. This will get better with newer versions, but right now it’s incomplete. There is no conformance program, so projects determine the level of their supply chain themselves. Some projects publish their SLSA assessment as done by ArgoCD, for others you can only verify the artefact and its provenance.
S2C2F (Secure Supply Chain Consumption Framework)
This framework is specifically designed for safer software consumption. It includes 8 practices with threat levels and possible fixes, which are all documented on GitHub. They include a table at the end of the document which maps the requirements to regulation and other security frameworks.
CNCF TAG Security
CNCF’s TAG Security published a whitepaper which is an extensive Best Practice Reference for supply chain security. This whitepaper tries to cover the whole supply chain and also includes recommendations for implementing the aforementioned SLSA and S2C2F.
Conclusion
These frameworks are a great guides for improving the supply chain security, but they have to be tailored to the organisations needs. In today’s world, securing the supply chain is no longer a choice but a critical necessity. State-sponsored threat actors are increasingly exploiting vulnerabilities in software and hardware suppliers to launch sophisticated cyberattacks against critical infrastructure and enterprises. Consequently, regulations like Europe’s Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA), alongside frameworks like the US NIST Cybersecurity Framework, now mandate verifiable security practices throughout the entire supply chain, enforcing compliance with substantial penalties.
Sources:
