• Reasonable Application Security
  • Posts
  • Reasonable 🔐AppSec #37 - Solving the Software Supply Chain Once and For All, Five Security Articles, and Podcast Corner

Reasonable 🔐AppSec #37 - Solving the Software Supply Chain Once and For All, Five Security Articles, and Podcast Corner

A review of application security happenings and industry news from Chris Romeo.

Author

Chris Romeo
February 02, 2024

Hey there,

Week three of our subscription drive! And no, we’re not sending tote bags to those who subscribe. Wait, maybe that’s not such a bad idea?

Please forward this newsletter to a friend and encourage them to subscribe. We’re trying to grow our subscriber base to enlighten everyone with AppSec news with a side of snark.

In this week’s issue, please enjoy the following:

  • Five security articles 📰 that are worth YOUR time

  • Featured focus: Solving the Software Supply Chain Once and For All

  • Application Security Podcast 🎙️Corner

  • Where to find Chris? 🌎

Five Security Articles 📰 that Are Worth YOUR Time

  1. The State of Software Supply Chain Security 2024: Key Takeaways — It is that time of the year — when studies are released looking at stats and predicting the future. The ReversingLabs 2024 state of software supply chain security highlights a 1300% increase in malicious packages in open-source package managers over three years and notes the industry's slow response to evolving threats. It stresses the lowered barrier for successful supply chain attacks, urging stakeholders to address security gaps and adopt new tools to mitigate risks.

  2. How to Use Threat Modeling Capabilities to Nurture Program Effectiveness — The Threat Modeling Capabilities is the next chapter after the Threat Modeling Manifesto, aiming to enhance the effectiveness of threat modeling programs. It details a structured approach to building and assessing threat modeling practices within organizations, emphasizing measurable, actionable capabilities across seven process areas, including strategy, education, and program management.

  3. Privacy predictions for 2024 — More predictions, this time on privacy. Kaspersky's 2024 privacy predictions focus on evolving online privacy challenges, emphasizing the need for enhanced biometric data protection due to the rise of deepfakes and voicefakes. It also highlights the potential privacy debates around AI-enabled wearables, AR/VR technologies, and the shift towards passwordless authentication and advanced bot assistants for privacy protection, suggesting a future where traditional concepts of private data and security measures may need to be reevaluated.

  4. How To Write Unmaintainable Code — We have to have some fun and nice things. "How To Write Unmaintainable Code" humorously advises on creating code so convoluted and confusing that it secures the programmer's job by making any future modifications nearly impossible for anyone else. It includes tips on obfuscating code through misleading naming conventions, lack of comments on the code's purpose, and overly complex structures, all presented tongue-in-cheek to highlight the importance of maintainable coding practices.

  5. It’s complicated: wrapping up a year of excitement with AI in security and security for AI — Artificial intelligence is in the midst of an intertwined evolution with cybersecurity. Explore the burgeoning interest from venture capitalists and startups in AI security, the adaptation of security measures to new AI technologies, and the potential for AI to solve fundamental security challenges, signaling a pivotal moment for innovation in the cybersecurity landscape.

The software supply chain problem has been around for decades but has increased in visibility over the last few years. Try to count how many SCA vendors exist in any magic quadrant. You’d need magical powers to be able to count them all. CISA, various Executive Orders, and NIST have all taken this challenge to task, creating a cottage industry around solving the software supply chain problem.

This leads me to wonder why this problem is so complex to solve. If I put my threat modeling hat on for a second and consider the threats to the software supply chain, I come up with two primary threats:

  1. An attacker could inject malicious software into an open-source component, thus causing that malicious component to be included in production applications.

  2. A developer created an open-source component with a known vulnerability or business logic flaw, allowing an attacker to compromise any application that contains that component.

Let’s deal with the first one. The answer I came up with is to mitigate it by digitally signing components that are part of a trusted build pipeline, containing tooling and processes that minimize the possibility of the injection of malicious software. The tools in the pipeline are the standard things we have available, such as SAST. The more important part is the people-driven PR review processes. People are the most effective tool for finding malicious insertions. Those people processes then tie back to how an open-source team reviews PRs and how someone becomes a trusted contributor. Processes must line up, but they don’t feel impossible to implement.

Upon signing the results out of the pipeline, we have sigstore. Sigstore’s site defines it as: “…how you digitally sign and check components for a safer chain of custody tracing software back to the source. We want to remove the effort, time, and risk of error this usually comes with.” Currently, the challenge is that we’re not signing enough components.

How about the second threat I called out, “known vulnerabilities or business logic flaws in open-source code.” Open-source projects are no different than custom code regarding having vulns.

We could deal with this in a three-pronged approach: 1) injecting AppSec into the most popular open-source teams 2) growing the ownership of those that find and fix security issues in open-source projects, and 3) building trusted repositories that remove the junk.

Starting with the first, we inject AppSec by teaching open source teams to threat model, or heck, we set up teams of people that will lead them through the threat modeling process.

On the second point, organizations that rely on a given component should also spend a commiserate amount of time performing security reviews and tests of the component. It is amazing how little effort and how much trust is bestowed upon open-source components.

On the third point, why do we have 1.3 million packages available in the primary npm registry? Are all of those packages equal? Do all have value? NO. We should build a trusted registry for packages with criteria for the project team and flush out packages that do not add value and do not respect security and privacy. Make the community safer by removing the cruft. Tying this back to the beginning, one of the package registry qualifications is the usage of digital signing for package output!

That sounds easy to me. But in reality, it isn’t easy at all. And now I know why we have yet to “solve” the software supply chain.

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes, they are my podcasts. Other times, they are podcasts that have caught my attention.

  • Application Security Podcast

    • Kyle Kelly -- The Dumpster Fire of Software Supply Chain Security (Audio only; YouTube)

      • Kyle Kelly, author of the CramHacks newsletter, delves into the complexities of software supply chain security, drawing from his vast experience in cybersecurity to analyze its 'dumpster fire' state.

      • The discussion covers the impact of open-source policies, the significance of GRC, and the crucial aspect of build reproducibility, offering valuable insights for anyone interested in the future of software security.

  • Security Table

    • Bug Bounty Theater and Responsible Bug Bounty (Audio only; YouTube)

      • Izar, Matt, and Chris discuss the effectiveness of bug bounty programs and delve into scoping challenges, the ethical considerations of selling exploits, and whether it is all just bug bounty theater.

      • They share insights and opinions on the subject, providing a thought-provoking discussion on the current state of bug bounties in the security industry, answering the question, what is responsible bug bounty?

  • Threat Modeling Podcast

    • Nandita Rao Narla -- Privacy Threat Modeling (Audio only)

      • I’m so excited that we got another TM Podcast out the door. I’m leaving this here for another week! TM Podcast is short (<10 mins) per episode, so listen, Pretty please.

      • Nandita Rao Narla introduces the basics of privacy in software. She discusses privacy threats, privacy threat modeling, and privacy by design.

      • Suppose you write or handle software that touches user information. In that case, you need to understand privacy, how to assess and mitigate privacy concerns, and know when to implement privacy concerns into a design.

      • This episode of the Threat Modeling Podcast is the perfect primer to raise awareness of the critical role privacy concerns should play in your next project.

Pictures are Fun

Our budget would not allow such a tote bag. Oh well, maybe next year!

Where to find Chris? 🌎

  • North Carolina Cybersecurity Symposium, February 22-23, 2024

  • BSides SF, May 4-5, 2024

  • RSA, San Francisco, May 6 - 9, 2024

    • Speaking: The Year of Threat Modeling: Secure and Privacy by Design Converge (May 8, 14:25 Pacific)

    • Learning Lab: Threat Modeling Championship: Breaker vs. Builder (May 8, 08:30 Pacific)

    • I'm hanging out at the Devici booth at the Startup Expo for the rest of the time!

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.