Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real World Security: Software Supply Chain

Published byBeverly Harris Modified over 5 years ago

Similar presentations

Presentation on theme: "Real World Security: Software Supply Chain"— Presentation transcript:

1 Real World Security: Software Supply Chain
David Lawrence Docker Daniel Shapira Twistlock

2 Agenda What is: a supply chain? the threat model?
the real world problem? Best Practices

3 What is a “Software Supply Chain”?

4 R&D

5

6 Continuous Integration

7 Distribution

8 Deployment

9 The Complete Supply Chain

10 Why do we care about Software Supply Chain Security?

11 Attacks on the Software Supply Chain
2011 WinNTi 2015 League of Legends infected with PlugX Juniper Networks finds unauthorized code in their products 2016 Transmission infected with KeRanger Transmission infected again with OSX/Keydnap 2017 Kingslayer Operation WilySupply Handbrake contains Proton RAT PetyaWrap ShadowPad CCleaner contains trojan

12 Software Supply Chain Threat Model

13 Entrypoints Upstream code Stackoverflow ??? Build-time dependencies
Base Images API API Docker

14 Assets Proprietary code/data Service secrets Images User data Secrets
Compute

15 Data Flow <Developer> <CI> <Registry>
<Servers>

16 Which component is the #1 concern today?

17 Attacks on the Software Supply Chain
2011 WinNTi 2015 League of Legends infected with PlugX Juniper Networks finds unauthorized code in their products 2016 Transmission infected with KeRanger Transmission infected again with OSX/Keydnap 2017 Kingslayer Operation WilySupply Handbrake contains Proton RAT PetyaWrap ShadowPad CCleaner contains trojan

18 Targets Developers Distribution Center
Juniper Networks finds unauthorized code in their products Distribution Center WinNTi League of Legends infected with PlugX Transmission infected with KeRanger Transmission infected again with OSX/Keydnap Kingslayer Operation WilySupply Handbrake contains Proton RAT PetyaWrap ShadowPad CCleaner contains trojan

19 Data Flow <Developer> <CI> <Registry>
<Servers>

20 Real World Research Findings

21 Memories from the past MongoDB 18,000 instances hacked
7 years to patch

22 Memories from the past MongoDB Redis ??? Instances hacked
3 years to patch

23 Memories from the past MongoDB Redis Mirai Botnet
390,000 routers hacked Time to path

24 Weak Defaults!

25 Research Motivation Most people didn’t change default settings
Popularity and adoption rate is huge Easily execute apps (e.g. docker run registry)

26 Research Motivation Trojanizing docker images – Daniel Garcia & Roberto Munoz @RootedCon How can it be utilized? What else can be gained?

27 The Possibilities Downloading all of your hosted docker images
Uploading malicious images Modifying existing images Uploading arbitrary files

28 OSS Registry Defaults? No auth.

29 Research Methodology Identify how docker services are responding
Docker-Distribution-Api-Version:

30 Research Methodology Identify how docker services are responding
Use Shodan.io Utilize registry API to confirm auth status: Profit Docker-Distribution-Api-Version: HTTP GET request to /v2/: if HTTP status == 200: print “R/W access”

31 Research Methodology Identify how docker services are responding
Use Shodan.io Utilize registry API to confirm auth status: Profit More profit: scan with zmap for common registry ports, repeat the API procedures on the results Docker-Distribution-Api-Version: HTTP GET request to /v2/: if HTTP status == 200: print “R/W access”

32 Research Findings Over 1000 exposed registries found
R/W access to 60% of the found registries Read access to a further 30% Only 10% securely configured 45% of those found owned by big companies we didn’t even scan the whole internet!

33 HazAuth – a tool to aid HazAuth is a tool that was developed in order to find authentication problems in a containerized environments (and more) Modular Pluggable design Written in Python Can be deployed as a container Will come with 3 plugins: mongoDB, Redis, and Docker Registry

34 HazAuth – a tool to aid

35 Changing the defaults Official Registry Image:
HTTP Basic Auth by default OSS Registry Code: Auto-generate htpasswd file with strong random password

36 Further Best Practices

37 TLS

38 Docker Content Trust

39 Docker Security Scanning

40 Thank you! Questions?

41 New Docker Registry defaults
2 Automatically generate a password, create an htpasswd file, and echo to stdout By default Registry isn’t anonymously accessible, but you can easily override this if desired

42 Demo: New Docker Registry defaults
Default experience: docker run -d registry ‘Legacy’ experience:

43 Traditional Package Signing TUF
Arbitrary Installation Endless Data Extraneous Dependencies Fast Forward Indefinite Freeze Malicious Mirror Mix-and-Match Rollback Slow Retrieval Key Compromise Wrong Installation

Download ppt "Real World Security: Software Supply Chain"

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
SDN and Openflow.

SDN and Openflow.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Chapter 3.  Help you understand different types of servers commonly found on a network including: ◦ File Server ◦ Application Server ◦ Mail Server ◦

Chapter 3.  Help you understand different types of servers commonly found on a network including: ◦ File Server ◦ Application Server ◦ Mail Server ◦
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.

CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.

Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze.

© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze.
Welcome to Introduction to Computer Security. Why Computer Security The past decade has seen an explosion in the concern for the security of information.

Welcome to Introduction to Computer Security. Why Computer Security The past decade has seen an explosion in the concern for the security of information.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Similar presentations

Ads by Google