Securing Your �Software Supply Chain

bit.ly/oss-na

Securing Your Software Supply Chain - @darcyclarke

​

Darcy Clarke

Based in Toronto, Ontario, Canada 🇨🇦

@darcy on twitter.com

darcyclarke.me on the web

Previously

Currently

Portfolio

@darcyclarke on github.com

npm -h

gh -h

open https://themify.me

🔴 🟡 🟢

@darcyclarke

Shapes

Purple-04 #A371F7

Shapes

Purple-06 #6E40C9

Shapes

Blue-04 #388BFD

Shapes

Blue-06 #1158C7

Shapes

Green-02 #56D364

Shapes

Green-04 #2EA043

Text, Shapes

White #FFFFFF

Text, Shapes

Gray-03 #8B949E

Shapes

Indigo-04�#797EF9

Shapes

Indigo-06�#464ED1

Shapes

Teal-02�#57CCC5

Shapes

Teal-04�#339D9B

Shapes

Pink-04�#DB61A2

Shapes

Pink-06�#9E3670

Background

#0a0c10ff

Shape outline

#282828

Staff Engineer Manager �July 2019 - December 2022

3⁺ billion downloads /mo �~2% of all registry traffic

ex. semver, tar, which, ini, ssri, write-file-atomic, hosted-git-info, make-fetch-happen & more…

npm CLI Team’s Maintained Project’s Statusboard:

https://npm.github.io/statusboard/

Team Management

+

September 20th, 2022

@darcyclarke

@darcyclarke

Shapes

Purple-04 #A371F7

Shapes

Purple-06 #6E40C9

Shapes

Blue-04 #388BFD

Shapes

Blue-06 #1158C7

Shapes

Green-02 #56D364

Shapes

Green-04 #2EA043

Text, Shapes

White #FFFFFF

Text, Shapes

Gray-03 #8B949E

Shapes

Indigo-04�#797EF9

Shapes

Indigo-06�#464ED1

Shapes

Teal-02�#57CCC5

Shapes

Teal-04�#339D9B

Shapes

Pink-04�#DB61A2

Shapes

Pink-06�#9E3670

Background

#0a0c10ff

Shape outline

#282828

Why?�Open Source* Software Security is critical to our long-term success

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

What?�Trust.

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Current State

Ecosystem

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Engines / Runtimes

Package Managers

Languages & Transpilers

Build Tools, Bundlers,�Frameworks & more…

Securing Your Software Supply Chain - @darcyclarke

​

Package Managers

Languages & Transpilers

Build Tools, Bundlers,�Frameworks & more…

Engines / Runtimes

Securing Your Software Supply Chain - @darcyclarke

​

Package Managers

Languages & Transpilers

Build Tools, Bundlers,�Frameworks & more…

Engines / Runtimes

Securing Your Software Supply Chain - @darcyclarke

​

How?�Dependencies.

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

JavaScript projects have �a lot of Dependencies

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

3.2 million+�Packages

219 billion+ �Downloads (monthly)

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

~683 transitive �dependencies

The average project has…

GitHub’s State of the Octoverse:�https://octoverse.github.com/2021 & https://octoverse.github.com/2020

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Transitive Dependencies

Phylum Blog Post�https://blog.phylum.io/hidden-dependencies-lurking-in-the-software-dependency-network

Package �C

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

It’s estimated 75%�of vulnerabilities reside in �transitive dependencies

Snyk’s State of Open Source Security 2020:

https://snyk.io/series/open-source-security/report-2020/

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Sonatype’s State of Software Supply Chain Security 2022:

https://www.sonatype.com/state-of-the-software-supply-chain/

​

​

742% �year-over-year increase in attacks targeting the open source supply chain

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Sonatype’s State of Software Supply Chain Security 2022:

https://www.sonatype.com/state-of-the-software-supply-chain/

Supply Chain Attacks: 2019 - 2022

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

GitHub Advisory Database - npm ecosystem�

2,900+ advisories�80% of Dependabot events�8,000+ malware advisories

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

59% chance of getting a

security alert in the next year

GitHub’s State of the Octoverse:�https://octoverse.github.com/2021 & https://octoverse.github.com/2020

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Supply Chain

Threats

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

What are some�Threats

• Vulnerabilities
• Malware
• Typosquatting
• Dependency Confusion
• Registry Compromise
• Account Takeovers

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

How can we mitigate�Malware

• Focus on package contents
• Active scanning for known patterns
• AI models tracking behaviours
• Automated takedowns/advisories
• Partnerships with security experts & reporting APIs

Reporting Malware

https://www.npmjs.com/support?inquire=security&security-inquire=malware

​

​

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

How can we mitigate�Typosquatting

• Heuristics �(name, downloads, versions, published date, author etc.)
• Policies & Enforcement

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

How can we mitigate�Dependency Confusion

• Use a publicly owned scope for internal/private proxied packages
• Set registry configuration in a .npmrc file at the root-level of your projects
• Respond quickly to build failures
• Introduce per-package registry protocol to package specifier

Avoiding npm substitution attacks

https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/

​

​

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

How can we mitigate�Registry Compromise

• Package Signing�- Packages published to npm are signed with a public key�- Rotation of the key & new signatures were created in August 2022 using the ECDSA algorithm alongside new npm CLI validation
• SSRI, Caching & Lockfiles
• Integrity Checks

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

How can we mitigate�Account Takeovers

• Mandatory Login Verification�Everyone - March 2022
• Mandatory 2FA�Top-100 Maintainers - February 2022�Top-500 Maintainers - May 2022�High Impact - November 2022
• Improved 2FA Experience�ex. Self-Serve Dashboard, Recovery Codes, Multiple Keys, Org-wide Management, WebAuthn
• Improved Login Experience�ex. npm login & npm publish (web login flow)
• Investments in Support & Authentication�ex. playbooks protecting against social engineering, identity verification & automation

High Impact Packages / Maintainers:

1 million+ weekly downloads or 500+ dependants

​

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

Lesser talked about�Supply Chain �Threats

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

What are some other�Threats

• Noise
• Confusion
• Obfuscation
• Lack of Tooling
• Lack of Standards
• Mutability

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

Nondeterminism & Mutability�(ex. feature parity, remote third-party packages, install scripts etc.)

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

package.json post-initialization…

"dependencies": {

"@testing-library/jest-dom": "^5.16.5",

"@testing-library/react": "^13.4.0",

"@testing-library/user-event": "^13.5.0",

"react": "^18.2.0",

"react-dom": "^18.2.0",

"react-scripts": "5.0.1",

"web-vitals": "^2.1.4"

}

Example: Create React App Project

7 Direct Dependencies

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

yarn v1.22.19

1,256

Number of “dependencies” (no configuration)

pnpm v7.26.3

npm v9.4.2

1,937

1,408

Example: Create React App Project - Package Managers

bun v0.5.5

1,386

deno v1.3.1

1,083

A difference of -+ ~850 dependencies

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

You must consider how your package manager OR audit tools treat… �

Development Dependencies

Optional Dependencies (including environment-specific conditions)�Bundled Dependencies

Peer Dependencies

Overrides / Resolutions

Lifecycle Scripts

Key: Accuracy is very important

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

yarn v1.22.19

1,256

pnpm v7.26.3

npm v9.4.2

1,937

1,408

A difference of -+ ~850 dependencies

bun v0.5.5

1,386

deno v1.3.1

1,083

Number of “dependencies” (no configuration)

Example: Create React App Project - Package Managers

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

No man ever steps in the same river twice.

”

“

Heraclitus of Ephesus (Greek Philosopher)

https://en.wikipedia.org/wiki/Heraclitus

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

No man ever steps in the same river twice.

”

“

Hipster of San Francisco (Full-stack JavaScript Developer)

https://yelp.com

package.json

installs

way

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Avoid�Mutable Package

References

• Distribution Tags�ex. "pkg@latest"
• Remote Tarball URLs�ex. "https://example.com/file.tgz"�ex. "https://example.com/"
• Remote Git Repository URLs�ex. "https://github.com/user/repo.git"�ex. "https://example.com/"

Package Documents reference data that is both mutable and immutable* & package metadata is not validated

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

Avoid�Mutable Package

References

• Distribution Tags�ex. "pkg@latest"
• Remote Tarball URLs�ex. "https://example.com/file.tgz"�ex. "https://example.com/"
• Remote Git Repository URLs�ex. "https://github.com/user/repo.git"�ex. "https://example.com/"

Package Documents reference data that is both mutable and immutable* & package metadata is not validated

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

Use�Lockfiles

• Contains:
• Integrity Values (SSRI)
• Resolved References
• Tree Shape
• npm install �creates & updates package-lock.json based on package.json & existing node_modules/
• npm ci�consumes a package-lock.json & does a clean installation of node_modules/

npm package-lock.json documentation:

https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json

​

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

Understand�Validation

• Signatures
• Lockfiles:
• Integrity Values (SSRI)
• Resolved References
• *Tree Shape

*Dependencies stored in lockfiles: manually modifying lockfiles can lead to extraneous dependencies being installed

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

Use�Time Travel

--before=<date>��ex. npm install --before=2020�ex. npm install --before="$(date -v -7d)"��Installs the dependency tree such that only versions that �were available on or before the time get installed. If there's no versions available for the current set of direct dependencies, the command will error.

Only works for registry deps & DeLoreans going 88 mph:�https://docs.npmjs.com/cli/v8/using-npm/config#before

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

No man ever steps in the same river twice.

”

“

Robot from the future (.Net Developer)

1101100100010

package.json

installs

way

cache & bundle �ALL DEPENDENCIES!!!

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Current State of �Solutions & Tooling

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Example: create-react-app

🛡️

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

😎

Example: create-react-app

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Example: create-react-app

🤬

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Security�Companies & Tools

• Insights/Advisories/Metadata
• CI/CD Automation
• Policy Engines & Runtime Enforcement

Securing Your Software Supply Chain - @darcyclarke

Securing Your Software Supply Chain - @darcyclarke

​

Red Herrings�/red ˈheriNG/�Seemingly plausible, though ultimately irrelevant & diversionary

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Advisory Tools

(npm Audit, Dependabot, Renovatebot & various CI Integrations)

​

Key: False positives are sometimes okay 🤷🏼‍♂️

Key: False negatives are dangerous 🔥

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

SBOMs

(Software Bill of Materials)

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Cryptography & �Artifact Signatures

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

A package’s contents are the most important…

Cryptography & Artifact Signatures

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

npm audit signatures

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Scorecards,

Brands & Badging

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Panaceas

/panəˈsēə/

A solution or remedy for all difficulties or diseases

Key: there is never one solution

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Future State �Solutions & Tooling

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

There is hope…

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Insights

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

socket.dev

sandworm.dev

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Reproducible Installations

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Package Distributions

“Package Distributions”: is a drafted RFC Proposal not yet approved or implemented - https://github.com/npm/rfcs/pull/519

package.json�� "distributions": [

{

"engines": {

"node": "10"

},

"platform": "win32",

"package": "foo-native-win32-10@1.x"

},

{

"platform": "linux",

"arch": "x64",

"package": "foo-native-linux-x64@2.x"

},

...

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Process Based Policies & Permissions

node --experimental-permission�https://github.com/nodejs/node/pull/44004��node –-experimental-policy�https://nodejs.org/dist/latest-v19.x/docs/api/permissions.html���npm RFC: Permissions�https://github.com/npm/rfcs/pull/297

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Introspection

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Dependency Selector Syntax (DSS)�https://docs.npmjs.com/cli/v8/using-npm/dependency-selectors

• Answer complex, multi-faceted questions about dependencies, their relationships & associative metadata
• Consolidates redundant logic of similar query commands in npm (ex. npm fund, npm ls, npm outdated, npm audit ...)
• CSS Selectors 4 Spec (syntax & operators)

Released in npm v8.16.0

Works with any node project (ex. if you’ve used yarn or pnpm to install package it will still work)

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Dependency Selector Syntax (DSS)�https://docs.npmjs.com/cli/v8/using-npm/dependency-selectors

* // all deps

:root > * // all direct deps

:root > .prod // direct production deps

:root > .dev // direct development deps

:root > * > .peer // any peer dep of a direct deps

.workspace // any workspace dep

.workspace > .workspace // all workspaces that depend on another workspace

.workspace:has(*.peer) // all workspaces that have peer deps

#lodash // any dep named "lodash"

#lodash@^1.2.3 // any deps named "lodash" & within semver range ^"1.2.3"

[name="lodash"]:semver(^1.2.3) // "" - equivalent to the above

#lodash@^1.2.3:not(:deduped) // get the hoisted node for a given semver range

#lodash@2.1.5 // querying deps with a specific version

[name="lodash"][version="2.1.5"] // "" - equivalent to the above

*:empty // deps with no other deps (ie. "leaf" nodes)

*:has(*) // has any deps

*:not(:empty) // "" - equivalent to the above

*:type(git) // querying for all git dependencies

Released in npm v8.16.0

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Dependency Selector Syntax (DSS)�https://docs.npmjs.com/cli/v8/using-npm/dependency-selectors

// find all dependencies with specific licenses

*[license="MIT"], *[license="ISC"]

​

// find all production dependencies that aren't v1.0.0

.prod:semver(<1)

​

// find all dependencies that have a node.engines property set

*:attr(engines,[node])

�// find all dependencies that have defined react as an optional peer

*:has(#react):not(:attr(peerDependenciesMeta, react, [optional]))

​

// find all dependencies that have myself as a contributor

*:attr(contributors, [email=darcy@darcyclarke.me])

​

// find all references to "install" scripts

*[scripts=install],

*[scripts=postinstall],

*[scripts=preinstall]

​

Released in npm v8.16.0

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

@npmcli/arborist

Programmatic Usage

const Arborist = require('@npmcli/arborist')

const arb = new Arborist()

​

arb.loadActual((tree) => {

const results = await tree.querySelectorAll('.peer')

})

@npmcli/arborist

https://npmjs.com/package/npmcli/arborist

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

On the Command Line

npm query "<selector>"

Released in npm v8.16.0

ex. npm query ":semver(<1)" | jq 'map(.version + "@" + .name)'

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Notable Selectors

Not yet implemented…

:semver(<spec>, <selector>, <function>) - semver comparator to [version] �

• spec - a semver version or range
• selector - an attribute selector for each node (defaults to [version])
• functions - a semver method to apply, one of: `satisfies`, `intersects`, `subset`, `gt`, `gte`, `gtr`, `lt`, `lte`, `ltr`, `eq`, `neq` or the special function `infer` (default `infer`)�

:outdated - have newer versions available

:outdated(<type>) - have a specific type of version available

ex. "MAJOR", "MINOR", "PATCH", defaults to "ANY"

CWE - Common Weakness Enumeration

https://cwe.mitre.org/

:vulnerable - have a known CVE�:cve(<id>) - have a specific CVE

:cwe(<id>) - have a type of CVE ("CWE")

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Query Support in Audits

“Add --audit-query to npm audit”: is a drafted RFC Proposal not yet approved or implemented - ref. https://github.com/npm/rfcs/pull/636

# only production dependencies

$ npm audit --audit-query=".prod"��# only direct production dependencies vulnerable to "Uncontrolled Resource Consumption" (aka. memory leaks)

$ npm audit --audit-query=":root > .prod:cwe(400)"�

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Validation

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Audit Policies

“Audit Policies”: is a drafted RFC Proposal not yet approved or implemented - https://github.com/npm/rfcs/pull/636

package.json�� "audit": {

"policies": [

{

"name": "Vulnerable",

"type": "error",

"query": ":vulnerable"

},

{

"name": "Peer Conflicts",

"type": "error",

"query": ".peer:not(:deduped)"

},

{

"name": "Deprecated",

"type": "warn",

"query": ":deprecated"

},� ...

{

"name": "<name>",

"type": "<log|warn|error>",

"query": "<selector>"

}

Shape:

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Key: Imagine a world with a…�Standardized Package Resolution Algorithm & Query Selector Syntax

🙏🏻

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Key Takeaways:��* Accuracy in dependency graphs is critical�* We need standards!�* A zero trust mentality will keep you safe�* Share discoveries - security is a team sport�* If you need a package manager use npm

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Thanks!

​

Talk:

“Securing Your Software Supply Chain”

�Twitter:�@darcy��GitHub: �@darcyclarke��Website: �darcyclarke.me�

Q&A

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​

Demo

Securing Your Software Supply Chain - @darcyclarke

​

Securing Your Software Supply Chain - @darcyclarke

​