Real World Security: Software Supply Chain

Slides:

Advertisements

Similar presentations

Chapter 17: WEB COMPONENTS

Advertisements

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

SDN and Openflow.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

System and Network Security Practices COEN 351 E-Commerce Security.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Enterprise Network Security Accessing the WAN Lecture week 4.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 3.  Help you understand different types of servers commonly found on a network including: ◦ File Server ◦ Application Server ◦ Mail Server ◦

CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.

Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze.

Welcome to Introduction to Computer Security. Why Computer Security The past decade has seen an explosion in the concern for the security of information.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Security Vulnerabilities in A Virtual Environment

WMarket For Adminstrators Install with Docker or the Automatic Script.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

Maven. Introduction Using Maven (I) – Installing the Maven plugin for Eclipse – Creating a Maven Project – Building the Project Understanding the POM.

Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Banjot Chanana Sr Director of Product Docker for the Enterprise with Containers as a Service.

TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.

Security Issues in Information Technology

BUILD SECURE PRODUCTS AND SERVICES

Agenda:- DevOps Tools Chef Jenkins Puppet Apache Ant Apache Maven Logstash Docker New Relic Gradle Git.

Containers as a Service with Docker to Extend an Open Platform

Chapter 7: Using Network Clients

Deploy Containerized OPNFV Cluster Efficiently Using Daisy Installer

What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.

World Wide Web policy.

Instructor Materials Chapter 7 Network Security

Prepared by: Assistant prof. Aslamzai

Backdoor Attacks.

Docker Birthday #3.

Secure Software Confidentiality Integrity Data Security Authentication

In-Depth Introduction to Docker

Docker – kontejnerizacija na serveru Vedran Vučetić, SPAN

Cyber Security By: Pratik Gandhi.

Step-By-Step Guide To Install Kaspersky Internet Security For Mac.

Answer the questions to reveal the blocks and guess the picture.

Containers in HPC By Raja.

Working of Script integrated with SiteScope

Drupal VM and Docker4Drupal For Drupal Development Platform

Drupal VM and Docker4Drupal as Consistent Drupal Development Platform

Azhagappan Arunachalam

Nessus Vulnerability Scanning

Chap 10 Malicious Software.

IBM Containers Docker in the Cloud

Lecture 2 - SQL Injection

Web Servers / Deployment

Faculty of Science IT Department By Raz Dara MA.

Part of Chapter 1 Key Concepts Networks

Intrusion Detection system

Chap 10 Malicious Software.

Building Serverless Enterprise Applications

Pulp 3 Ready For a Test Drive

Advanced Computer Networks

Test 3 review FTP & Cybersecurity

Agenda The current Windows XP and Windows XP Desktop situation

Server Management and Automation Windows Server 2012 R2

Grid Computing Software Interface

Presentation transcript:

Real World Security: Software Supply Chain David Lawrence Docker Daniel Shapira Twistlock

Agenda What is: a supply chain? the threat model? the real world problem? Best Practices

What is a “Software Supply Chain”?

https://cooking.stackexchange.com R&D

Continuous Integration

Distribution

Deployment

The Complete Supply Chain

Why do we care about Software Supply Chain Security?

Attacks on the Software Supply Chain 2011 WinNTi 2015 League of Legends infected with PlugX Juniper Networks finds unauthorized code in their products 2016 Transmission infected with KeRanger Transmission infected again with OSX/Keydnap 2017 Kingslayer Operation WilySupply Handbrake contains Proton RAT PetyaWrap ShadowPad CCleaner contains trojan

Software Supply Chain Threat Model

Entrypoints Upstream code Stackoverflow ??? Build-time dependencies Base Images API API Docker

Assets Proprietary code/data Service secrets Images User data Secrets Compute

Data Flow <Developer> <CI> <Registry> <Servers>

Which component is the #1 concern today?

Attacks on the Software Supply Chain 2011 WinNTi 2015 League of Legends infected with PlugX Juniper Networks finds unauthorized code in their products 2016 Transmission infected with KeRanger Transmission infected again with OSX/Keydnap 2017 Kingslayer Operation WilySupply Handbrake contains Proton RAT PetyaWrap ShadowPad CCleaner contains trojan

Targets Developers Distribution Center Juniper Networks finds unauthorized code in their products Distribution Center WinNTi League of Legends infected with PlugX Transmission infected with KeRanger Transmission infected again with OSX/Keydnap Kingslayer Operation WilySupply Handbrake contains Proton RAT PetyaWrap ShadowPad CCleaner contains trojan

Data Flow <Developer> <CI> <Registry> <Servers>

Real World Research Findings

Memories from the past MongoDB 18,000 instances hacked 7 years to patch

Memories from the past MongoDB Redis ??? Instances hacked 3 years to patch

Memories from the past MongoDB Redis Mirai Botnet 390,000 routers hacked Time to path

Weak Defaults!

Research Motivation Most people didn’t change default settings Popularity and adoption rate is huge Easily execute apps (e.g. docker run registry)

Research Motivation Trojanizing docker images – Daniel Garcia & Roberto Munoz @RootedCon How can it be utilized? What else can be gained?

The Possibilities Downloading all of your hosted docker images Uploading malicious images Modifying existing images Uploading arbitrary files

OSS Registry Defaults? No auth.

Research Methodology Identify how docker services are responding Docker-Distribution-Api-Version:

Research Methodology Identify how docker services are responding Use Shodan.io Utilize registry API to confirm auth status: Profit Docker-Distribution-Api-Version: HTTP GET request to /v2/: if HTTP status == 200: print “R/W access”

Research Methodology Identify how docker services are responding Use Shodan.io Utilize registry API to confirm auth status: Profit More profit: scan with zmap for common registry ports, repeat the API procedures on the results Docker-Distribution-Api-Version: HTTP GET request to /v2/: if HTTP status == 200: print “R/W access”

Research Findings Over 1000 exposed registries found R/W access to 60% of the found registries Read access to a further 30% Only 10% securely configured 45% of those found owned by big companies we didn’t even scan the whole internet!

HazAuth – a tool to aid HazAuth is a tool that was developed in order to find authentication problems in a containerized environments (and more) Modular Pluggable design Written in Python Can be deployed as a container Will come with 3 plugins: mongoDB, Redis, and Docker Registry

HazAuth – a tool to aid

Changing the defaults Official Registry Image: HTTP Basic Auth by default OSS Registry Code: Auto-generate htpasswd file with strong random password

Further Best Practices

TLS

Docker Content Trust

Docker Security Scanning

Thank you! Questions?

New Docker Registry defaults https://github.com/docker/distribution/pull/236 2 Automatically generate a password, create an htpasswd file, and echo to stdout By default Registry isn’t anonymously accessible, but you can easily override this if desired

Demo: New Docker Registry defaults Default experience: docker run -d registry ‘Legacy’ experience:

Traditional Package Signing TUF Arbitrary Installation Endless Data Extraneous Dependencies Fast Forward Indefinite Freeze Malicious Mirror Mix-and-Match Rollback Slow Retrieval Key Compromise Wrong Installation