Let's tackle open-source supply chain issues with open source

Transcript

1. COSCUP 2024 OSPN Japan Special Track 2024/08/04 Let's tackle open-

   source supply chain issues with open source Naruhiko Ogasawara

2. Who am I Naruhiko Ogasawara ( 小笠原 徳彦 ) •

   Japanese Security Vendor's Employee • Desktop Open Source Enthusiast – Ubuntu, LibreOffice, Printing • River Kayak lover

3. From Wikipedia A supply chain, sometimes expressed as a "supply-chain",

   is a complex logistics system that consists of facilities that convert raw materials into finished products and distribute them to end consumers or end customers. Meanwhile, supply chain management deals with the flow of goods within the supply chain in the most efficient manner. Supply Chain

4. From Wikipedia A software supply chain is composed of the

   components, libraries, tools, and processes used to develop, build, and publish a software artifact. ”Software” Supply Chain Library Library Library Application Container OS Middleware Service

5. Software Supply Chain Risk • Vulnerable software components • The

   injection of a backdoor by a malicious attacker

6. Software Supply Chain Risk • Vulnerable software components • The

   injection of a backdoor by a malicious attacker

7. Vulnerable software components • You remember “log4shell” issue • How

   can we identify vulnerable software within the vast web of software dependencies? https://xkcd.com/2347/

8. Vulnerable software components • You remember “log4shell” issue • How

   can we identify vulnerable software within the vast web of software dependencies? – SBOM! https://xkcd.com/2347/

9. Software Bill of Materials Software vendors often create products by

   assembling open source and proprietary software components. A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them. SBOM SBOM Company A SBOM Company B Final Assemble Company SBOM Composition Supplier Name Component Name Component Version Identifier Dependency SBOM Creator Timestamp

10. Software Bill of Materials Software vendors often create products by

    assembling open source and proprietary software components. A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them. SBOM SBOM Company A SBOM Company B Final Assemble Company SBOM Composition Supplier Name Component Name Component Version Identifier Dependency SBOM Creator Timestamp

11. Two major SBOM formats • SPDX (System Package Data Exchange)

    – https://spdx.dev/ – Developed by The Linux Foundation • CycloneDX – https://cyclonedx.org/ – Developed by OWASP

12. How to create SBOM • Software Composition Analysis (SCA) –

    Software composition analysis (SCA) is a practice in the fields of Information technology and software engineering for analyzing custom-built software applications to detect embedded open-source software and detect if they are up-to-date, contain security flaws, or have licensing requirements. (wikipedia)

13. SCA Tools common work • Create SBOM by source code

    dependencies analysis – Java Maven, JavaScript NPM, Python PyPI, Ruby Gem, … • Some commercial (proprietary) tools can handle source code snippets or embedded components

14. CycloneDX SCA families • cdxgen – https://cyclonedx.github.io/cdxgen/#/ – https://github.com/CycloneDX/cdxgen •

    Highly recommended – But in my experience, it doesn’t work on Windows

15. CycloneDX SCA families • If cdxgen won’t work, go to

    https://cyclonedx.org/tool-center/, or just googling “CycloneDX <langname>” (they are old attics, but still work enough) • CycloneDX for Maven – https://github.com/CycloneDX/cyclonedx-maven-plugin • CycloneDX for NPM – https://github.com/CycloneDX/cyclonedx-node-npm • CycloneDX for Python – https://github.com/CycloneDX/cyclonedx-python • CycloneDX for Ruby Gems – https://github.com/CycloneDX/cyclonedx-ruby-gem

16. cdxgen supports tons of platforms • https://cyclonedx.gith ub.io/cdxgen/#/PROJ ECT_TYPES

17. OWASP Dependency Track • OWASP Dependency Track – https://dependencytrack.org/ –

    https://owasp.org/www-project-dependency-track/ – https://github.com/DependencyTrack/dependency-track • Project made by OWASP • Visualization tool of CycloneDX SBOM • Open Source licensed under Apache License 2.0
18. None

19. Quick Setup: Using Docker Compose curl -LO https://dependencytrack.org/docker-compose.yml docker compose

    up -d

20. Creating SBOM from Ruby code node install -g cyclonedx/cdxgen cd

    /path/to/rubyproject cdxgen *) Of course, the ruby project should be managed dependencies with gemfile.lock

21. Live Demo Time...

22. Conclusion • Software Supply chain risk is widely concerned issue

    nowadays • One of the risks is the vulnerability introduced by dependencies • SBOM can manage such kind of dependencies • OWASP Dependency Track can visualize SBOMs • This makes it easy to find vulnerabilities introduced by dependencies