Scribd
Upload
14 views

COMP3006 Secure Software Development Week3

The document outlines the importance of secure software supply chains, emphasizing the need for evaluating, downloading, and updating software components securely to mitigate risks. It discusses the prevalence of open-source components, the rise in supply chain attacks, and provides best practices for selecting and managing software dependencies. Additionally, it highlights OWASP guidance and practical exercises to reinforce the concepts presented.

Uploaded by

Yusuf Kürşat Tuncel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views

COMP3006 Secure Software Development Week3

The document outlines the importance of secure software supply chains, emphasizing the need for evaluating, downloading, and updating software components securely to mitigate risks. It discusses the prevalence of open-source components, the rise in supply chain attacks, and provides best practices for selecting and managing software dependencies. Additionally, it highlights OWASP guidance and practical exercises to reinforce the concepts presented.

Uploaded by

Yusuf Kürşat Tuncel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

COMP3006: Secure Software Development

Week 3: Secure Software Supply Chain

Dr. Yusuf Kürşat Tuncel

Konya Food and Agriculture University

Spring 2024-2025

1 / 31
Agenda
1 Introduction to Software Supply Chain

2 Basics of Reusing Software

3 Selecting and Evaluating Open Source Software

4 Downloading and Installing Reusable Software

5 Updating Components and Interfaces

6 Supply Chain Security

7 OWASP and Supply Chain

8 Practical Exercise

9 Summary and Preview

2 / 31
What is a Software Supply Chain?

All components, tools, and processes in software development


Includes: Code, libraries, dependencies, build tools
Goal: Deliver functional, secure software
Risk: Each link is a potential attack vector

3 / 31
Why It Matters

80% of codebases use open-source components (Synopsys 2023)


Supply chain attacks up 650% (Sonatype 2022)
Example: SolarWinds attack (2020) - compromised build process
Focus: Secure reuse, not just secure coding

4 / 31
Reusing Software: Pros and Cons

Pros:
Faster development
Proven functionality
Community support
Cons:
Hidden vulnerabilities
Dependency sprawl
Maintenance burden

5 / 31
Types of Reusable Software

Open Source Software (OSS): e.g., Apache, Linux


Third-Party Libraries: e.g., Log4j, OpenSSL
Commercial Off-The-Shelf (COTS): e.g., database engines
Internal Components: Reused across projects

6 / 31
Dependency Example

Application

Library A

Library B Vulnerable Dep

Figure: Dependency Chain

7 / 31
Choosing OSS

Popularity: Active community, frequent updates


Security History: Known vulnerabilities (CVEs)
License: Compatibility with project (e.g., MIT, GPL)
Maintenance: Recent commits, issue responses

8 / 31
Evaluation Criteria

Check GitHub stats: Stars, forks, last update


Review CVE database: e.g., NIST NVD
Audit code: Static analysis tools (e.g., SonarQube)
Example: Avoid unmaintained projects

9 / 31
Example: Evaluating a Library

1 # Check last update and issues


2 git clone https :// github . com / example / repo . git
3 cd repo
4 git log -1 # Last commit date
5 gh issue list # Open issues ( GitHub CLI )
6
7 # Scan for vulnerabilities
8 npm install -g snyk
9 snyk test # For Node . js projects

10 / 31
Case Study: Log4Shell

CVE-2021-44228: Log4j vulnerability (2021)


Cause: Unchecked JNDI lookup
Impact: Remote code execution, millions affected
Lesson: Vet dependencies thoroughly

11 / 31
Secure Download Practices

Use official sources: e.g., PyPI, npm registry


Verify integrity: Checksums (SHA256, MD5)
Avoid untrusted mirrors or third-party sites
Example: Malware in fake Python packages

12 / 31
Verifying Integrity

1 # Download and verify a package


2 wget https :// example . com / package . tar . gz
3 wget https :// example . com / package . tar . gz . sha256
4
5 # Check hash
6 sha256sum -c package . tar . gz . sha256
7 # Expected output : package . tar . gz : OK

13 / 31
Installation Best Practices

Use package managers: npm, pip, apt


Isolate environments: Docker, virtualenv
Limit permissions: Install as non-root
Audit post-install: Check for unexpected changes

14 / 31
Real-World Example

2018 Event-Stream Attack


Cause: Malicious npm package update
Impact: Stole Bitcoin wallet keys
Fix: Verify package authenticity

15 / 31
Why Update?

Patch vulnerabilities
Maintain compatibility
Improve performance
Risk: Breaking changes or new bugs

16 / 31
Update Strategies

Semantic Versioning (SemVer): Major.Minor.Patch


Automated updates: Dependabot, Renovate
Test updates: CI/CD pipelines
Monitor CVEs: Subscribe to security alerts

17 / 31
Example: Updating a Dependency

1 // package . json
2 {
3 " dependencies ": {
4 " lodash ": "^4.17.20" // Vulnerable version
5 }
6 }
7
8 // Update to latest
9 npm install lodash@latest
10 npm audit fix # Fix known issues

18 / 31
Challenges in Updating

Dependency conflicts
Deprecated APIs
Example: Heartbleed (OpenSSL) - delayed updates
Solution: Regular, incremental updates

19 / 31
What is Supply Chain Security?

Protecting all stages: Code, build, deploy


Threats: Injection, tampering, impersonation
Goal: Trustworthy software delivery

20 / 31
Common Attack Vectors

Compromised dependencies
Build tool exploits
Malicious updates
Example: SolarWinds - backdoor in update

21 / 31
Mitigation Techniques

Software Bill of Materials (SBOM): Track components


Code signing: Verify authenticity
Secure CI/CD: Lock down pipelines
Regular audits: Dependency scanning

22 / 31
SBOM Example

Lists all components and versions


Tools: CycloneDX, SPDX

Sample SBOM Snippet


Component: OpenSSL, Version: 1.1.1, License: Apache-2.0

23 / 31
Secure CI/CD Example

1 # GitHub Actions workflow


2 name : Build
3 on : [ push ]
4 jobs :
5 build :
6 runs - on : ubuntu - latest
7 steps :
8 - uses : actions / checkout@v3
9 - run : npm ci # Locked dependencies
10 - run : npm audit -- production
11 permissions :
12 contents : read # Least privilege

24 / 31
Real-World Mitigation

2021 Codecov Attack


Cause: Bash uploader tampered
Impact: Exposed secrets
Fix: Signed artifacts, restricted access

25 / 31
OWASP Guidance

OWASP Top 10: A06 - Vulnerable Components


Recommendations:
Identify all dependencies
Remove unused components
Monitor vulnerabilities
Tool: OWASP Dependency-Check

26 / 31
Dependency-Check Example

1 # Run OWASP Dependency - Check


2 dependency - check . sh -- scan ./ project \
3 -- format HTML -- out report . html
4 # Output : Lists CVEs in dependencies

27 / 31
Exercise: Secure Your Supply Chain

Task: Audit a sample project’s dependencies


Steps:
List components (SBOM)
Check for vulnerabilities
Propose mitigations
Tools: npm audit, Snyk, or manual review
Time: 15 minutes, discuss results

28 / 31
Summary

Supply chain security is critical in modern development


Evaluate, download, and update components securely
Mitigate risks with SBOM, signing, and audits
OWASP provides actionable guidance

29 / 31
Next Week Preview

Topic: Input Validation and Processing


Focus:
Validating untrusted input
Preventing injection attacks
Reading: Chapter 3 of ”Software Security”

30 / 31
Questions?

Contact: [email protected]
Office Hours: Wednesdays, 14:00-16:00
Resources: Course page

31 / 31

You might also like