Aqua Security Reports Spike in Supply Chain Attacks

Water safetyit is recent report highlights the growing threat of supply chain attacks. According to the report, supply chain attacks increased by 300% between 2020 and 2021, while the level of security in software development environments remained low. Google and the Cloud Native Computing Foundation (CNCF) recently published articles detailing approaches to improving supply chain security.

The report was produced by Argon Security, a recent acquisition of Aqua Security, over a six-month period, examining a number of customer practices and supply chains. The study identified three main risk areas that companies should focus on to improve supply chain security.

The first area is the use of vulnerable packages. The report notes the widespread use of open source code in nearly all commercial software. This code can have its own vulnerabilities and keeping it up to date takes time and effort. They note two common attacks that exploit vulnerable packages: exploiting existing vulnerabilities and package poisoning. Recent Log4j vulnerabilities are an example of the first and compromise of the ua-parser.js package is an example of poisoning.

The second area attackers can focus on is compromised pipeline tools. the Codecov Supply Chain Breach is an example. In this attack, the Codecov bash downloader was compromised via a Docker image. Over a period of a few months, the attackers were able to extract environment variables from the CI process exposing sensitive Codecov customer data.

The final area they rate concerns code and artifact integrity. This includes uploading, malicious or otherwise, incorrect or sensitive code to source code repositories. The team found a number of issues in surveyed customer environments, including container image vulnerabilities, sensitive data posted to code repositories, and code quality and security issues.

The study notes that addressing these challenges is hampered by the lack of resources of most security and software teams. Like Eran Orzel, Chief Revenue Officer at Argon Security notes:

Most AppSec teams lack the resources, budget, and knowledge to address the risk of supply chain attacks. This is further complicated by the need for cooperation from development and DevOps teams.

Google and the Cloud Native Computing Foundation (CNCF) have published guidelines to help improve the integrity of software packages. from google Supply Chain Tier Structure for Software Artifacts (SLSA) relies on their internal Binary authorization for Borg framework. It states that all software artifacts should be non-unital and auditable. Non-unitary implies that no one person can modify the artifact within the chain without the review and approval of at least one other person. The fact that the artifacts are auditable, ideally in an automated way, facilitates investigations if an attack is suspected.

The framework further defines four levels of security with SLSA 4 representing the ideal end state. SLSA 1 requires that build processes be fully scripted and generate provenance. Origin are metadata about how the artifact was built, including information about ownership, sources, dependencies, and the build process used. Google released a proof of concept GitHub Action that demonstrates SLSA 1 compliant production provenance

SLSA 2 takes it a step further by requiring the use of version control and a hosted build service that generates authenticated provenance. SLSA 3 adds a requirement that the source and build platforms be sufficiently auditable, both for code source and provenance integrity.

The final state, SLSA 4, requires two-person reviews of all changes and an airtight, repeatable build process. Kim Lewandowski states that “two-person review is an industry best practice for detecting errors and deterring bad behavior”. Hermetic builds are self-contained and rely only on services internal to the build environment. This includes known versions of build tools and other dependencies, such as code libraries. The fact that the versions are reproducible facilitates the auditability of the supply chain.

The CNCF newspaper, Software Supply Chain Security Best Practices, defines four key principles for supply chain security: trust, automation, clarity and mutual authentication. Every step in the process must be trusted using cryptographic attestation and verification. Using automation can reduce both human error and configuration drift. Construction processes and the environment must be clearly defined and extended accordingly. Mutual authentication requires all entities in the supply chain to use strong authentication mechanisms with regular key rotation.

For more details on the report’s findings, readers are directed to Aqua Security Supply Chain Attack Study.

Comments are closed.