Ya Got Trouble

And SLSA may help

1

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Yes you got lots and lots of trouble

I'm thinkin' of the devs in CICD

Shirt-tail young ones, peekin' in the IDE window after school

You got trouble, folks

Right here in Shmoo Con, trouble with a capital "T"

And that rhymes with "C" and that stands for cooooode

​

-The Music Man, modified

2

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

I Am What I Am

(La Cage Aux Folles)

• I speak about DevSecOps, Agile, Diversity & Inclusion, and Women in Technology. I am currently a Product Manager at ActiveState, the deputy Chief Operating Officer for The Diana Initiative and one of the organizers for the Skytalks village at DEF CON.

3

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Totally F*cked

(Spring Awakening)

4

Credit: https://xkcd.com/2347/

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Chains (Beautiful the Carole King Musical)

5

https://pixabay.com/illustrations/plane-logistics-world-5238847/

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Something’s Coming (West Side Story)

• The US Government has set out to Secure the Software Supply Chain (SSC)
• Because of the drastic rise in attacks on the software supply chain, governments are taking notice. The US Government (EO 14028 & M-22-18) has set some dates for government agencies to work with their suppliers to improve their SSC security.
• June 11 “Agencies shall collect attestation letters for critical software”
• Sept 13 “... for all software”

6

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Something’s Coming (West Side Story)

7

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Whatever Lola Wants (Damn Yankees)

• So what exactly did they tell everyone to do?
• At a high level the guidance boils down to; You should have
• Software Bill of Materials (SBOM)
• Software attestations
• Follow secure software development practices from NIST (SSDF & SSC Security Guidance)

8

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Here’s Where I Belong (Here’s Where I Belong)

• SLSA is an approachable ladder of prioritized proscriptive practices. By following it you will achieve many parts of the SSDF which has specific goals but is not specific about how to achieve them.
• It is not required to follow SSDF guidance, but doing so will be a nice map to help get you there.

9

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

I’ll Know (Guys & Dolls)

• Supply chain Levels for Software Artifacts (SLSA)
• Started by Google, now an industry collaboration
• Current version v0.1
• Designed to be a framework to allow people to follow in order to reduce their attack surface, and increase artifact integrity by reducing tampering.

10

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Two by Two (Book of Mormon)

• 0 No attestations
• 1 Documentation of the build process
• Unsigned provenance
• 2 Tamper resistance of the build service
• Hosted source/build, signed provenance
• 3 Extra resistance to specific threats
• Security controls on host, non-falsifiable provenance
• 4 Highest levels of confidence and trust
• Two-party review + hermetic builds

11

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

All I ask of You (The Phantom of the Opera)

• Source - information about the proprietary code
• Build - process used to build the code
• inputs/artifacts -> artifacts
• Provenance - how the metadata about the code and build is generated and used
• Future: Common TBD

12

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Defying Gravity (Wicked)

• It’s not a security scanner it won’t detect insecure code, CVEs, tokens, passcodes etc.
• It will not
• Prevent insider threat
• Prevent typosquatting
• Reduce introduced insecure code
• It Does
• Create a document for each build
• Set common terminology around what security steps are being taken on writing source and performing a build

13

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

What Do You Do with a B.A. in English? (Avenue Q)

• Artifact - data (file, image, anything really)
• Attestation - a document / metadata - SLSA is recommending the in-toto format
• Package - published artifact
• Dependency - artifact that is a input to a build process and not from source
• Verification - usually the Verification Summary Attestation. Someone saying an artifact is a certain SLSA level.

14

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Why, God, Why? (Miss Saigon)

• Wait, isn't this SBOM?
• There is a lot of overlap, good catch!
• SBOM is all the specific artifact / component / dependency inclusions and sometimes CVEs
• SLSA has that plus information about
• where the source of the dependency was
• how everything came together and was built
• what to expect as an output.

15

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

In My Life (Les Miserables)

• Not another scanner / tool with outputs to triage
• Ideally you are partially doing SSD already!
• You need it check what you are missing, and set those policies or controls
• Then add some extra output
• provenance attestation
• SBOM

16

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Find Your Grail (Spam-A-Lot)

• Prepare the Organization (PO)
• Protect the Software (PS)
• Produce Well-Secured Software (PW)
• Respond to Vulnerabilities (RV):
• Nist published an online matrix of SSDF requirements. Many come standard with most DevOps and software development platforms, or are already required by other regulated industries.

17

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

I should Tell You (Rent)

• See if your development platform offers plug-n-play SBOM - many do!
• Microsoft's SPDX sbom-tool
• GitLab's will produce a CycloneDX
• Anchore's SBOM GitHub Action.
• ActiveState has you covered and generate an SBOM for all of the Open Source packages you use.

18

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

I should Tell You (Rent)

• Many popular development platforms can generate an Attestation for your proprietary code.
• TestifySec Witness plugin for GitHub and GitLab and more!
• Google Cloud Build
• GitHub Actions
• GitLab Runner Attestations
• Want to go farther upstream?
• ActiveState has attestations for open source dependencies

19

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

What’d I Miss? (Hamilton)

• Supply chain Levels for Software Artifacts, or SLSA (salsa).
• SLSA is an approachable ladder of prioritized proscriptive practices that helps get closer to SSDF and attestations.

​

• Why you should care
• Popular targets, exponential increase in attacks
• Gov requirements generally spread to industry, also with increased attacks focus on protecting the software supply chain is getting increased focus.

20

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

What’d I Miss? (Hamilton)

• What does it do?
• Sets a Common framework, format, and language
• Documentation and reproducible builds
• What it does not do
• Find/identify vulns, prevent vulns, prevent or detect typosquatting, etc
• does not replace your AST (SAST/DAST/Fuzzing) or Security Scanning

21

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

What’d I Miss? (Hamilton)

1. Review SLSA Requirements
2. Review and update practices and policies as needed
3. Generate SBOM & Attestations
4. Review NIST matrix of SSDF requirements

22

ActiveState

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023

Thank You!

Nicole Schwartz

@CircuitSwan

ActiveState - Nicole Schwartz @CircuitSwan - Shmoocon 2023