Posts Tagged ‘SupplyChainSecurity’
[DefCon32] If Existing Cyber Vulns Magically Disappeared, What Next
Dr. Stefanie Tompkins, Director of DARPA, joined by Dr. Renee Wegrzyn, inaugural Director of ARPA-H, explores a hypothetical scenario where all cyber vulnerabilities vanish overnight. Their session at DEF CON 32, moderated interactively, delves into the hacker community’s contributions to cybersecurity and the next frontier of challenges, from supply chain vulnerabilities to quantum computing. Stefanie and Renee emphasize the synergy between DARPA, ARPA-H, and the DEF CON community in shaping a secure digital future.
The Hacker Community’s Legacy
Stefanie opens by celebrating the DEF CON community’s role in challenging the status quo, citing DARPA’s Cyber Grand Challenge and Cyber Fast Track as catalysts for vulnerability detection advancements. She highlights how diverse perspectives have driven innovations like the ARPANET, the precursor to the internet. Stefanie underscores the community’s potential to address future threats, encouraging active collaboration with agencies like DARPA.
Envisioning a Vulnerability-Free World
Renee explores the implications of a world without cyber vulnerabilities, questioning what new challenges would emerge. She discusses ARPA-H’s Apex program, which leverages generative AI to create novel antigen sequences for unaddressed viruses, illustrating how hacker ingenuity could pivot to proactive solutions. Renee emphasizes the need to secure health tech ecosystems, particularly hospitals, against cyberattacks.
Tackling Supply Chain and Quantum Challenges
Stefanie, a geologist by training, shares her focus on supply chain vulnerabilities, given their critical role in global technology ecosystems. She also addresses quantum computing’s uncertain future, noting DARPA’s efforts to determine its transformative potential versus obsolescence. Stefanie’s insights highlight the need for rigorous questioning to guide technological development, inviting hackers to contribute ideas.
Fostering Collaborative Innovation
Concluding, Renee and Stefanie call for continued partnership with the DEF CON community to solve complex problems. They encourage attendees to share ideas with DARPA and ARPA-H, emphasizing that transformative solutions arise from collective creativity. Their vision for a resilient digital and health infrastructure inspires hackers to shape the next era of cybersecurity innovation.
Links:
[DefCon32] Secret Life of Rogue Device: Lost IT Assets on the Public Marketplace
Matthew Bryant, a seasoned security researcher and red team leader at Snap, unveils a startling investigation into the underground market for rogue IT assets. His presentation explores how sensitive devices—employee laptops, hardware prototypes, and even classified government systems—end up on public marketplaces. Through innovative techniques like scraping millions of online listings and reverse-engineering obfuscated apps, Matthew reveals the scale of this issue and its implications for organizational security.
The Scope of Rogue Devices
Matthew begins by defining rogue devices as assets that should never be resold, such as corporate laptops or early-stage hardware prototypes. His research, conducted with support from Snap and inspired by collaborator Apple Demo’s YouTube work on iPhone prototypes, involved analyzing over 150 million images from Western and Eastern secondhand markets. Matthew’s findings expose a thriving trade in sensitive equipment, often originating from e-waste recycling centers or lax supply chain controls.
Technical Challenges and Innovations
To uncover these devices, Matthew employed creative methodologies, including an OCR cluster built from repurposed iPhones to process listing images. He also reverse-engineered Chinese marketplace apps, navigating their obfuscation to extract data. These efforts revealed employee laptops with sensitive data, prototype iPhones, and even government servers on platforms like eBay. Matthew’s approach highlights the ingenuity required to track assets across global, often opaque, marketplaces.
Supply Chain and E-Waste Vulnerabilities
Delving deeper, Matthew identifies supply chain leaks and e-waste mismanagement as primary sources of rogue devices. Companies assume discarded hardware is destroyed, but recyclers often resell functional equipment, such as “50 good iPhones,” for profit. This creates opportunities for attackers to acquire sensitive assets. Matthew stresses the need for organizations to enforce strict destruction protocols and monitor secondary markets to prevent leaks.
Strengthening Organizational Defenses
Concluding, Matthew urges companies to trace their assets’ lifecycle rigorously, from procurement to disposal. By identifying leak sources through marketplace analysis, organizations can close vulnerabilities. His work, enriched by collaborations with underground collector communities, underscores the importance of proactive monitoring and robust supply chain security to safeguard sensitive data and hardware.
Links:
[DevoxxBE2023] Securing the Supply Chain for Your Java Applications by Thomas Vitale
At Devoxx Belgium 2023, Thomas Vitale, a software engineer and architect at Systematic, delivered an authoritative session on securing the software supply chain for Java applications. As the author of Cloud Native Spring in Action and a passionate advocate for cloud-native technologies, Thomas provided a comprehensive exploration of securing every stage of the software lifecycle, from source code to deployment. Drawing on the SLSA framework and CNCF research, he demonstrated practical techniques for ensuring integrity, authenticity, and resilience using open-source tools like Gradle, Sigstore, and Kyverno. Through a blend of theoretical insights and live demonstrations, Thomas illuminated the critical importance of supply chain security in today’s threat landscape.
Safeguarding Source Code with Git Signatures
Thomas began by defining the software supply chain as the end-to-end process of delivering software, encompassing code, dependencies, tools, practices, and people. He emphasized the risks at each stage, starting with source code. Using Git as an example, Thomas highlighted its audit trail capabilities but cautioned that commit authorship can be manipulated. In a live demo, he showed how he could impersonate a colleague by altering Git’s username and email, underscoring the need for signed commits. By enforcing signed commits with GPG or SSH keys—or preferably a keyless approach via GitHub’s single sign-on—developers can ensure commit authenticity, establishing a verifiable provenance trail critical for supply chain security.
Managing Dependencies with Software Bills of Materials (SBOMs)
Moving to dependencies, Thomas stressed the importance of knowing exactly what libraries are included in a project, especially given vulnerabilities like Log4j. He introduced Software Bills of Materials (SBOMs) as a standardized inventory of software components, akin to a list of ingredients. Using the CycloneDX plugin for Gradle, Thomas demonstrated generating an SBOM during the build process, which provides precise dependency details, including versions, licenses, and hashes for integrity verification. This approach, integrated into Maven or Gradle, ensures accuracy over post-build scanning tools like Snyk, enabling developers to identify vulnerabilities, check license compliance, and verify component integrity before production.
Thomas further showcased Dependency-Track, an OWASP project, to analyze SBOMs and flag vulnerabilities, such as a critical issue in SnakeYAML. He introduced the Vulnerability Exploitability Exchange (VEX) standard, which complements SBOMs by documenting whether vulnerabilities affect an application. In his demo, Thomas marked a SnakeYAML vulnerability as a false positive due to Spring Boot’s safe deserialization, demonstrating how VEX communicates security decisions to stakeholders, reducing unnecessary alerts and ensuring compliance with emerging regulations.
Building Secure Artifacts with Reproducible Builds
The build phase, Thomas explained, is another critical juncture for security. Using Spring Boot as an example, he outlined three packaging methods: JAR files, native executables, and container images. He critiqued Dockerfiles for introducing non-determinism and maintenance overhead, advocating for Cloud Native Buildpacks as a reproducible, secure alternative. In a demo, Thomas built a container image with Buildpacks, highlighting its fixed creation timestamp (January 1, 1980) to ensure identical outputs for unchanged inputs, enhancing security by eliminating variability. This reproducibility, coupled with SBOM generation during the build, ensures artifacts are both secure and traceable.
Signing and Verifying Artifacts with SLSA
To ensure artifact integrity, Thomas introduced the SLSA framework, which provides guidelines for securing software artifacts across the supply chain. He demonstrated signing container images with Sigstore’s Cosign tool, using a keyless approach to avoid managing private keys. This process, integrated into a GitHub Actions pipeline, ensures that artifacts are authentically linked to their creator. Thomas further showcased SLSA’s provenance generation, which documents the artifact’s origin, including the Git commit hash and build steps. By achieving SLSA Level 3, his pipeline provided non-falsifiable provenance, ensuring traceability from source code to deployment.
Securing Deployments with Policy Enforcement
The final stage, deployment, requires validating artifacts to ensure they meet security standards. Thomas demonstrated using Cosign and the SLSA Verifier to validate signatures and provenance, ensuring only trusted artifacts are deployed. On Kubernetes, he introduced Kyverno, a policy engine that enforces signature and provenance checks, automatically rejecting non-compliant deployments. This approach ensures that production environments remain secure, aligning with the principle of validating metadata to prevent unauthorized or tampered artifacts from running.
Conclusion: A Holistic Approach to Supply Chain Security
Thomas’s session at Devoxx Belgium 2023 provided a robust framework for securing Java application supply chains. By addressing source code integrity, dependency management, build reproducibility, artifact signing, and deployment validation, he offered a comprehensive strategy to mitigate risks. His practical demonstrations, grounded in open-source tools and standards like SLSA and VEX, empowered developers to adopt these practices without overwhelming complexity. Thomas’s emphasis on asking “why” at each step encouraged attendees to tailor security measures to their context, ensuring both compliance and resilience in an increasingly regulated landscape.