Download as PDF, PPTX
Uploaded bySouth Tyrol Free Software Conference
SFScon 21 - Luigi Gubello - Security metrics for open-source projects
The document discusses supply chain attacks and how they can affect open source projects. It describes common types of supply chain attacks like namespace confusion, typosquatting, and malicious code injection. It then discusses how the OpenSSF Security Metrics and Security Scorecards tools can help open source projects reduce risks from supply chain attacks by providing security data and scorecards that evaluate projects' security practices and posture.
More Related Content
Similar to SFScon 21 - Luigi Gubello - Security metrics for open-source projects
More from South Tyrol Free Software Conference
SFScon 21 - Luigi Gubello - Security metrics for open-source projects
- 1. SFScon Security metrics for open-source projects Bolzano, 12- 13 November, 2021
- 2. Bolzano, 12 -13 November, 2021 SFScon :~$ whoami Currently Security Engineer at Smallpdf. Previously Security Manager at Arduino. In recent years, I have tried to understand how disinformation spreads on Twitter. I contribute to the Open Source Security Foundation’s “Security Metrics” project, to define security metrics for open-source projects. ● Linux user ● Twitter addicted ● Cats and bowties lover @evaristegal0is luigi.gubello@protonmail.com
- 3. SFScon Bolzano, 12 -13 November, 2021 What is a supply chain attack
- 4. SFScon Bolzano, 12 -13 November, 2021 Supplier Customer (or other supplier) Supplier assets Customer assets “A supply chain attack is a combination of at least two attacks” (ENISA) One on a supplier and another one on the customer (which can be another supplier).
- 5. SFScon Bolzano, 12 -13 November, 2021 According to an ENISA report, at least 20 supply-chain attacks have been identified in one year (July 2020 - July 2021). ● SolarWinds, a cloud management company. Attack attributed to APT29 group (December 2020); ● Mimecast, a cloud-based cybersecurity service. Attack attributed to APT29 group (January 2021); ● Codecov, a code coverage service. Attack without attribution (April 2021); ● Kaseya, IT Management software. Attack attributed to REvil Group (July 2021)
- 6. SFScon Bolzano, 12 -13 November, 2021 How supply-chain attacks can affect open-source
- 7. SFScon Bolzano, 12 -13 November, 2021 According to a Sonatype report, the supply-chain attacks increased 650% YoY over 2020. The most common types of supply-chain attack in 2021 have been namespace (or dependency) confusion, typosquatting and malicious code injection. Only in March 2021, Sonatype identified more than 10.000 dependency confusion copycats infiltrated in npm, PyPI and other ecosystems.
- 8. SFScon Bolzano, 12 -13 November, 2021 Namespace (or dependency) confusion It is a technique where attackers - knowing internal packages’ names used by the target - publish malicious packages with the same name but a higher semantic version. This can lead the development tools to download and install the malicious packages instead of the internal ones. Typosquatting Typosquatting attacks consist to publish packages with misspelled names that can be installed due to human errors (e.g. typo when writing the package name). Malicious code injection Malicious code injection by exploiting different techniques (credentials stealing, fraudulent pull-requests, …).
- 9. SFScon Bolzano, 12 -13 November, 2021 Reduce supply-chain attacks risk
- 10. SFScon Bolzano, 12 -13 November, 2021 Open Source Security Foundation (OpenSSF) is a project which goal is to create a community and define best practices to improve the security of the open-source ecosystem. To reduce risks related to supply-chain attacks in open-source projects, OpenSSF offers two key tools: OpenSSF Security Metrics and OpenSSF Security Scorecards.
- 11. SFScon Bolzano, 12 -13 November, 2021 OpenSSF Security Metrics offers a data-driven overview of open-source projects, by helping stakeholders to make reliable decisions. Security Metrics does data collection from sources such as: ● Security Scorecards – measures the security posture of open source projects ● Criticality Score – determines the influence and importance of open source projects ● Best Practices Badge – communicates how well security best practices are followed ● Security Reviews – displays security assessments performed by researchers
- 12. SFScon Bolzano, 12 -13 November, 2021 Dashboard generated for the Arduino CLI project (metrics.openssf.org)
- 13. SFScon Bolzano, 12 -13 November, 2021 OpenSSF Security Scorecards generates a “security score” for open source projects in a fully automated way. Every scorecard check is actionable. In the evaluation metrics used, the Security Scorecards checks if there are well-defined security policy, code review process, and continuous test coverage with fuzzing and static code analysis tools, to help users to evaluate a project security. The Security Scorecards results are included in the Security Metrics. https://github.com/ossf/scorecard
- 14. SFScon Bolzano, 12 -13 November, 2021 End _ Thank you! HONK 🤍
- 15. SFScon Bolzano, 12 -13 November, 2021