0

I'm looking for ways to further protect my web app against supply chain attacks.

Attacks focusing on supply chain have been increased a lot recently. NIST is working on a recommendation, following the May 2021 Executive Order, and questions about this have already been asked here (How does one defend against software supply chain attacks?, ...).

The short answer is usually that it's not possible to protect yourself against supply chain attacks. I am however looking at ways to increase the security of my web application, which heavily uses open source dependencies, such as java (maven) and javascript (npm). My code ("jars", ...) is not distributed but rather deployed as a service on a privately owned server.

Apart from replies or link to recommendations about this broad topic, I'm also more specifically interested in ways to protect my build process (CI/CD pipeline, using jenkins), and integrity checking (it seems that jar signing for instance is not really recommended, but maybe this recommendation has evolved due to the increasing popularity of this subject).

EDIT: In other words, what are the various ways (type of attacks, not attacks themselves) that rely on software supply chain attacks (i.e. targetting dependencies, and the build process), and how to protect against them ? I know that one of them is the "dependency confusion", where a threat actor adds to a public repo the name of a private dependency I use, in hopes I'll use theirs instead. Are there others ?

floflo
  • 1
  • 1
  • You appear to be asking about vulnerabilities in the open-source libraries you use, not "supply chain attacks". Those are different topics. – schroeder Nov 24 '21 at 15:46
  • I already have tools in place that detect known vulnerabilities on the open source librairies I use (such as npm audit, etc), that check against public databases. I am more interested in securing the build process, such as prevent against "dependency confusion", or CI/CD issues (cf solarwinds), and securing my own artefacts. – floflo Nov 24 '21 at 15:51
  • Ok, then I'm not sure that this is about "supply chain attacks" at all. I'm not even sure if this is a security question. – schroeder Nov 24 '21 at 15:55
  • You are very "hand-wavy" about what you are concerned about. Can you explain what you want to protect yourself *against*? So far, this just look like a DevOps question, not even a DevSecOps question. – schroeder Nov 24 '21 at 15:58
  • Well it's part of the question, if I knew what the threats are I'd have a good start on how to protect against them. But "supply chain attacks" seem like a security topic, as seen in the solarwind attacks. One very specific example that I mentioned in my comment above is ["dependency confusion"](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) (a threat actor adds to a public repo the name of a private dependency I use), but that's just one example of many, and I don't have an exhaustive list – floflo Nov 24 '21 at 16:04
  • "Dependency confusion" in that article is just a malicious library. You can scan for that and you say that you do. Making sure that you are grabbing the *correct* library is not a security issue but a DevOps issue. "Supply Chain Attack" is a security issue, but it's a broad topic and you are not narrowing it down at all. If your question is so broad that you can't define it, then you should take some time to refine it because it will be unanswerable. – schroeder Nov 24 '21 at 16:15
  • If you want to prevent the same type of attack that happened to the Solarwinds development pipeline, that's not a supply chain attack at all. So, in general, you need to refine and define what it is you want. Otherwise, you are asking "how long is a piece of string?" – schroeder Nov 24 '21 at 16:18
  • I stated I scan (trusted) dependencies for known vulnerabilities, not malicious librairies that insert themselves in my software supply chain. I understand your point about it being a devops issue though. Is there no tool or procedure that I could put in place to help make sure this doesn't happen ? I'll edit my original question to better explain what I'm looking for. Thanks for your feedback. – floflo Nov 24 '21 at 16:27
  • I have edited my question, focusing instead on a list of main attack types that leverage "supply chain attacks". – floflo Nov 24 '21 at 16:36

0 Answers0