New Video from @NoLimitSecu Discusses Software Supply Chain Security

In this episode of the No Limite SQ podcast, Christophe Tafani from Reaper discusses methods to address software supply chain security issues, accompanied by contributors Nicolas Ruf, Paul Amar, Hervé Chaur, and Vladimir Cola. The discussion focuses on attacks on the software supply chain, excluding physical and human aspects. Christophe Tafani begins by explaining the mental model of the software supply chain using the Salsa DVE model. This model helps understand how code written by a developer ends up in the hands of the end user. Typical steps include writing the code, pushing it to version control software like GitHub, building it through a continuous integration pipeline, and finally distributing it via a binary file repository or a Docker image repository. Each step of this process can be attacked, and protections and detections vary at each level. Tafani mentions several past attacks, such as the malicious patch in the Linux kernel in 2003, the Solar Winds attack where the build system was compromised, and the COD COV attack where a Bash script was replaced with a malicious script. He emphasizes that protection mechanisms must be adapted to each step of the supply chain. For example, to ensure that a developer cannot put malicious code into production, it is crucial to use signed and approved pull requests by multiple people. The discussion then turns to GitHub Actions, reusable elements in CI/CD pipelines. Tafani explains that using tags for actions can be risky, as an attacker can replace tags with malicious commits. He recommends using specific commits to avoid this problem. He also mentions open source projects like T Securities Hardened Runner, which secures build pipelines using network whitelists and preventing source code rewriting. For detecting malicious dependencies, Tafani presents Guard Dog, an open source project that scans the metadata and code of packages to detect malicious behaviors. He explains that this type of tool can be integrated into CI/CD pipelines to check dependencies before deployment. He also discusses attestations and provenance, concepts that allow verifying the integrity and origin of software artifacts. The conversation also addresses regulations and legal obligations regarding software security. Tafani mentions a 2021 U.S. decree that requires software publishers to publish lists of packages included in their software, which has increased interest in Software Bill of Materials (SBOM). He highlights the importance of recursive visibility on dependencies to detect vulnerabilities and malicious behaviors. Finally, Tafani shares practical advice for developers, such as using wrappers around package installation commands to block known malicious packages. He invites listeners to contribute to the Guard Dog project and explore career opportunities in supply chain security. In conclusion, Tafani reminds of the importance of having a reference model for supply chain security and improving the maturity of each step iteratively. He encourages listeners to be interested in open source projects and contribute to research in this field.