2024-08-06 –, Diamond
Total attacks on the software supply chain have increased by more than 730% year on year since 2019. One way for organizations to combat this growing threat is to empower their red-teams to test the software supply chains for that organization. But many red teams are ill-prepared to tackle this new attack surface. This workshop will help existing red teams and offensive security teams learn how to expand their scope to include the software supply chain (SSC). We will give them a structured way to identify SSC components, threat model an example SSC and finally conduct red team operations on an example SSC.
I will draw on my experience at GitLab and SecureStack around red teaming and explain some of the tools and processes I've developed.
This workshop will have three parts:
- I will describe how to quickly identify the components in a software supply chain
- I will describe my TVPO methodology (target, value, patterns, and objectives) which is an applied threat modeling and assessment framework for software supply chains.
- Finally, I will describe one of my red team operations on an open source project and the tools that I use (or have written)
The reality is that modern applications are complex and dynamic, making them challenging to secure. They utilize browser-based programming languages, directly interact with online dependencies, and implement technologies like containers, serverless, and public cloud. Understanding these components, such as the public cloud components used, the identity provider in use, and the required infrastructure, is crucial for securing the application.
The supply chains supporting these applications are equally complex. They encompass developers and DevOps teams, CI/CD pipelines that build and deploy the apps, and the runtimes and cloud services that enable the apps to scale and operate. I described the multiple stages of the software supply chain here: https://gitlab.com/pmccarty/visualizing-software-supply-chain
Traditional offensive security functions like penetration testing and bug bounty can help identify some of the issues in software supply chains. However, I believe the best way to address these new threats is to enable existing red teams to expand their operational scope to include these supply chains.
The purpose of this workshop is to help security practitioners learn how to expand the scope of their knowledge and toolkit to address the security posture of a specific software supply chain (SSC). Not all existing redteamers will know how this process works, so we will use a typical end to end application environment, including source code and CI/CD workflows as an example. Are malicious actors targeting your customers? Are they targeting your tech stack or are they targeting you for political reasons? Do they want your source code? Do they want access to the data you have? These are important questions to ask and talk about with your red team because they help the team identify and assess risk for their organizations specific circumstances, which then allows them to prioritize their operations.
This workshop will rely heavily on two documents I've written:
1. The Visualizing Software Supply Chain which you can find at https://github.com/SecureStackCo/visualizing-software-supply-chain. This project is an in-depth description of the ten stages of the software supply chain: People, developer tools, source code, integration, deployment, runtime, hardware, DNS, services and cloud.
2. The TVPO (Target Value Patterns Objects) framework which you can find at https://gitlab.com/pmccarty/tvpo. This project is a flexible threat modelling and assessment metodology for Software Supply Chains.
Here's a breakdown of the 4 hour session:
INTRODUCTION - What is the software supply chain? and what are some of recent attacks we should know about (30 minutes)
1. Describe what software supply chains are
2. Describe some recent SSC attacks
VISIBILITY - Understand what’s in the SSC (60 minutes)
1. Talk about how the applications we are building today are materially different, and more complex than earlier applications.
2. Introduce the “Visualizing Software Supply Chain" project. The VSSC project helps people understand whats in scope visually.
a. Explain the ten stages of the SSC
b. Explain how all applications do NOT use all ten stages
3. Show the group how to asses an application using the VSSC project
a. Use MyGov as an example
THREAT MODEL - Using the TVPO framework to identify threats (60 minutes)
1. Introduce the TVPO framework which is custom built to help you threat model your software supply chains
a. Help explain what are the different target types:
- Person
- Application
- Company
b. Show how to identify the value of those targets.
ATTACK - How to use these two frameworks to red team (90 minutes)
1. Introduce a target application (will be an open source project picked randomly)
2. Use VSSC to identify different components in the open-source project
a. people - find all the developers, qa and devops teams that have access to this application
b. devtools - identify all the tools that the people are using.
c. source code - identify
d. integration
e. deployment
3. Use what you learned via VSSC about components and different stages leveraging the TVPO framework
4. Do the same as above, but this time with a live web app: MyGov or similar
Paul is a DevSecOps OG and a spends most of his time red teaming the software supply chain for GitLab. He was also the founder of SecureStack, a cloud-native software supply chain security startup. Paul has worked for NASA, Boeing, Blue Cross/Blue Shield, John Deere, the US military, and Australian government amongst others. More recently Paul started SourceCodeRED.com as a way to facilitate his commercial and free training products. Paul is a frequent contributor to open source and is the author of the DevSecOps Playbook, Visualizing Software Supply Chain, TVPO threat modelling framework and several other open-source projects. He’s also a pretty good snowboarder and most importantly a husband and father to 3 amazing kids.