Supply-chains, Lockfiles and Rants
Supply chain attacks are in all news (at least in mine). These kind of attacks happen in plain sight and use available infrastructure to do harm.
Thank you for being here. If you’ve found your way over by some miracle but are not yet subscribed, let me help you with that:
Supply and Lockfiles
A supply chain attack is when one or more of the dependencies in your application have been compromised, and some “bad code “is running on your systems and applications that is intended to harm you. These kinds of attacks are becoming more common and more sophisticated.
Most programming environments that offer a form of dependency manager have a locking mechanism in place. The manager allows to specify what kind of version should is used. And stores the version along with a checksum/cryptographic hash in a sometimes-called lockfile.
These lockfiles are essential to keeping applications safe from supply chain attacks. If the remote code changes but the same version number is used, you will get a checksum mismatch.
No matter if you update dependencies by hand or use tools like Dependabot or Renovate. You must review the changes to ensure the functionality is as you expect and the new code does not introduce any malware or obvious bad intentions. Simply updating and not checking is dangerous and circumvents the whole system.
How do you spot bad” intentions? Some ideas:
the change introduces a new dependency,
changes to pre/post-install hooks of the dependency manager,
introduces cryptic code that is unclear
downloads stuff from the internet all of a sudden."
How often should you update your dependencies?
There are two strong opposing approaches to updating software and dependencies.
The first approach you constantly update everything to stay on the bleeding edge. The second one is you update only when there is a necessity. Otherwise, never touch it.
What is the best way?
It depends on the environment and the company, how many people how many systems and moving parts they have. A good rule of thumb is to keep things up to date "enough," so it is easy to get it done during an emergency security update. You don't need to spend days or weeks fixing stuff.
What do you think? Let me know at andy@occamslabs.com.
LinkDump
Open Source Supply Chain attack targeting banks
Malware authors pretended to be employees of banks. They even went that far to create fake LinkedIn profiles. The dependencies were hidden in plain sight using Azure’s CDN
kbom - A Kubernetes Bill of Materials
Allows you to create a JSON structured representation of what is running within your cluster. You can use this to build alerting into your security tooling when something changes that should not.
earlybird - a sensitive data scanner
American Express is maintaining an open-source scanner that is looking for clear text password violations, PII, outdated cryptography methods, key files, and more. Another piece of tooling that can be added to the CI/CD to help detect leaks early.
The Six Dumbest Ideas in Computer Security
A - quite on point - rant about computer security and some of the ideas driving it. It seems like every day, a new tool or toy is being released that claims to solve problem XYZ. After all, nobody got fired for hiring IBM or so.
Thank you
Thank you for reading along. If you have feedback or questions, message me: andy@occamslabs.com. I would appreciate it if you shared it with people that can benefit from the newsletter.