The document explores the security risks associated with the software supply chain in infrastructure as code (IaC), highlighting vulnerabilities exposed by incidents like the SolarWinds attack and Log4j exploit. It emphasizes the importance of using digital signatures, Software Bills of Materials (SBOM), and static analysis tools to mitigate risks while underscoring the need for vigilance in code review and dependency management. Key recommendations include using secure module practices, automated scanning, and ensuring the integrity and authenticity of software artifacts.

1. Deep dive into the
secure software supply chain
on Infrastructure as Code (IaC)

2. Paolo Mainardi
➔ Co-founder and CTO @Sparkfabrik
➔ Linux Foundation Europe Advisory Member
➔ Blog: paolomainardi.com
➔ Podcast: Continuous Delivery
➔ linkedin.com/in/paolomainardi
➔ continuousdelivery.social/@paolomainardi
➔ paolo.mainardi@sparkfabrik.com
@paolomainardi

3. ➔ What is a Software Supply Chain
➔ IaC and OCI containers
➔ DEMO of Sigstore and Syft
THE
SESSION

4. “A supply chain is a network
of individuals and companies
who are involved in creating
a product and delivering it
to the consumer”

5. https://slsa.dev/spec/v0.1/#supply-chain-threats

6. 2020
About 18,000 customers of SolarWinds installed the infected updates,
including firms like Microsoft (Cisco, Intel, Deloitte) and top government US agencies
like Pentagon, Homeland security, National Nuclear Security etc.

7. WHAT SOLARWINDS TAUGHT US
● Only install signed versions ❌
● Update your software to the latest version ❌
● Review source code ❌
● Closed source is more secure by design ❌
CONVENTIONAL SECURITY ADVICE
THAT DON’T APPLY HERE:

8. Log4j - Log4shell 2021 - CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/

9. Timeline - Log4shell 2021 - CVE-2021-44228
➔ 24th November: Issue discovered by Chen Zhaojun of the Alibaba Cloud Security Team,
and reported to the Apache Software Foundation.
➔ 9th December: The RCE 0-day vulnerability was tweeted along with a POC posted on
GitHub - RCE can be fired just by passing a certain string
◆ Hours later hundreds of companies and governments confirmed to be
affected to Log4Shell attacks
➔ 10th December: Apache released an emergency security update and details on a critical
vulnerability in Log4j - assigning a CVSS score of 10.
➔ Patches introduced other critical vulnerabilities: CVE-2021–45046 - CVE-2021–45105 -
CVE-2021–4104
➔ All applications using directly or indirectly log4j are affected as a result of a supply
chain dependency

11. Source: Sonatype Log4j exploit update

12. https://www.sonatype.com/state-of-the-software-supply-chain/introduction

14. https://linuxfoundation.eu/cyber-resilience-act

15. Keynote: The Next Steps in Software Supply Chain Security - Brandon Lum, Software Engineer, Google

16. STATE OF THE
IaC
ECOSYSTEM

17. Infrastructure as code
➔ Declarative describe your infrastructure as code
◆ K8S, VMs, networks, storage, users, permissions…
➔ Examples:
◆ Terraform - OpenTofu (HCL)
◆ Pulumi (Typescript, Python, GO, C#, Java, YAML)
◆ Crossplane (Kubernetes) (YAML)

18. Extensible with dependencies
● Terraform registry
○ Providers
○ Modules
● Crossplane Contrib
○ Providers
○ Compositions (XRD)
● Pulumi registry
○ Packages

19. Terraform/OpenTofu
DEEP-DIVE

20. TERRAFORM: PROVIDERS AND MODULES
● Providers are API implementation (GCP, AWS, DO etc…) and Modules are
groups of resources.
● Terraform providers and modules used in your Terraform configuration
have full access to the variables and Terraform state within a workspace

21. ● Modules don’t have any form of signature or checksum (tampering risk)
● Anyone can publish a module on public Terraform Registry from a Github
repository (typosquatting risk)
● Modules versions are based on git tags (tampering risk)
TERRAFORM: ANATOMY OF A MODULE AND SECURITY RISKS

22. What can a module do,
other than create cloud
resources?

23. TERRAFORM: MODULE MALICIOUS CODE
● Can run any form of custom code (local-exec, external)
● Can interact with the network using the http provider

24. Hey team, we have an urgency for a big marketing campaign
just confirmed by the customer.
We need to deploy a new static website on GCP
and give access to an external team
to let them update it when needed, can you help us?
Please 🥺
BUSINESS REQUEST ON THURSDAY, DEADLINE IS FRIDAY

25. TERRAFORM: Find a module on Google: “gcp static website terraform”
Step 1 - Found the module we need

26. ��
TERRAFORM: Review the module’s code
Step 2 - Quickly review the code

27. TERRAFORM: Get hacked
Step 3 - Got hacked - Saturday morning call: we have been hacked, what happened ??

28. TERRAFORM: HOW TO DETECT A SERVICE ACCOUNT LEAK ?

29. TERRAFORM: DETECT SERVICE ACCOUNT LEAK WITH CHECKOV
https://github.com/bridgecrewio/checkov

30. TERRAFORM: DETECT SERVICE ACCOUNT LEAK WITH CHECKOV

31. TERRAFORM: DETECT SERVICE ACCOUNT LEAK WITH CHECKOV

32. LESSON LEARNED

33. TERRAFORM: MODULE MALICIOUS CODE
Do not blindly trust community modules
Always use a static security scan tool like
Checkhov or TFscan or Trivy
Not enough alone, write your own policies.

34. DOCKER OCI IMAGES DEEP-DIVE

35. OCI stands for Open Container Initiative.
OCI defines the specifications and standards
for container technologies
(Runtime, Image and Distribution spec).
Container registries can be also used to store
other kind of artifacts (like Helm charts)
or just any arbitrary files.

36. What is the trusting model behind a Container Image,
or in general, a digital artifact?
How can i be sure that what I’m running
is coming from a trusted source?

37. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
1984

38. SECURE SOFTWARE SUPPLY CHAIN CHECKLIST
✅ Who built it, when and how
(Signatures and Provenance Attestations)
✅ The list of things who made the artifact
(SBOM - Software Bill of Material)

39. DIGITAL SIGNATURES 101
Integrity
Ensure the data signed was
not altered.
Authenticity
Attest that the data was
sent by the signer.
Non-repudiation
Ensure that the signer
cannot deny the authenticity
of the signature.

40. Managing keys is hard
Distribution, Storage, Compromise

41. DIGITAL SIGNATURES - SIGSTORE
Sigstore is an OSS
project under the
umbrella of OpenSSF
foundation.
Fast growing
community and
mainstream adopted
Used in Kubernetes
and many other big
vendors
(Github, Rubygems, Arch Linux etc..)

42. DIGITAL SIGNATURES - SIGSTORE
Keyless signing of any
software artifact
Signatures metadata
are stored in a public
tamper-resistant log
Signatures are stored
alongside images in
OCI registry

43. SBOM:
SOFTWARE
BILL OF
MATERIALS
A list of “ingredients”
for a software artifact
Can be used for:
➔ Vulnerability scanning
➔ Software transparency
➔ License policy
➔ Find abandoned dependencies

44. SBOM
FOR
CONTAINERS
Creating a SBOM for an artifact is a
complex problem
Dependencies live at different levels:
➔ Operating system (Windows, Debian, Alpine
etc…)
➔ Operating system dependencies (RPM, DEB,
APK, PKG…)
➔ Application dependencies (Composer, NPM,
Rubygems, Pypi, etc…)
➔ Static binaries and their dependencies (Go,
Rust etc…)

45. SBOM - Tools
$ docker sbom

46. DEMO

47. Takeaways
➔ Software Supply Chain security must be taken
very seriously
➔ IaC suffers from the same issues of the software
projects
➔ Always use static analysis tools for like Checkov
| Trivy | TFSec
➔ Sign your artifacts, Sigstore is nice and easy!
➔ Generate SBOM and scan for vulnerabilities
Snyk | Grype | Trivy
➔ Automate your dependencies with DependaBot
or RenovateBot

48. THANKS