[CramHacks] Newsletter #6: is coffee supply chain?

🥳 Happy Monday! 🥳 

Life Update

This week we’re in Key Largo, FL 👀. This trip used to be a lot more enjoyable when I was living in NY - I miss San Diego. That said, work is going well and the food here is delicious. I do think it’s time for a CramHacks private jet because these red-eye flights are really taking a toll on me.

Shoutout to all our new subscribers! I was half-asleep one night and dropped a post on r/cybersecurity, only to recognize a few days later that we flew 🛫 past 100 subscribers.

As the end of year starts to slow down for Holidays, I’m beginning to fill my schedule with speaking opportunities. I have some scheduled already, but would love to do more! If you’re a part of a community interested in Software Supply Chain Security, no matter the size, shoot me an email and let’s schedule something 🙂.

Software Supply Chain Security

Curl is seen everywhere except your SBOM

Jeff Luszcz discusses software composition analysis (SCA) and why your SBOM or supply chain security products are likely not giving you the expected coverage for the latest cURL vulnerability and other vulnerabilities impacting (mostly C/C++) packages.

👋 I wanted to start off this week with the simplest expression of how messy is software supply chain security.

Exhibit A: The definition of Software Supply Chain Security as per Synopsys:

“The software supply chain is anything and everything that touches an application or plays a role, in any way, in its development throughout the entire software development life cycle (SDLC). Software supply chain security is the act of securing the components, activities, and practices involved in the creation and deployment of software. That includes third-party and proprietary code, deployment methods and infrastructure, interfaces and protocols, and developer practices and development tools.”

Yep, that’s right… EVERYTHING IS SOFTWARE SUPPLY CHAIN SECURITY. Heck, developers not having coffee readily available is a software supply chain incident.

The question is really, where do we draw the line for what gets included in a software bill of materials (SBOM)? Recent vulnerabilities promote the importance of system packages and the alike be included, but what’s next, every driver, operating system, kernel version, what the dev had for breakfast?

HashiCorp: CEO Predicts OSS-Free Silicon Valley

🙌PREACH🙌 HashiCorp's CEO, Dave McJannet, believes that traditional open-source licensing models are unsustainable for businesses in Silicon Valley as they leave innovations vulnerable to commercial exploitation by competitors, prompting HashiCorp's switch to a more restrictive license.

👋 I love me some open source but sheesh, some of these communities put in a lot of blood, sweat, and tears just to have someone profit off their backs. I don’t know what the solution is, but it’s something we should really be talking about.

Thank you Joe Fay & The Stack for the article.

OpenSSF: Repo of Malicious Open Source Packages

A repository of reports (OSV Format) for malicious packages identified in Open Source package repositories. 🔥 

👋 This is a solution for a problem we really shouldn’t really have - in my opinion, this should be the responsibility of the package managers. NPM for example is flooded with malicious packages; even when taken down, there’s no notice or flag to notify developers they are using a known malicious package - this should be baked in to npm audit.

This really came to light when Darcy Clarke, prior Staff Engineering Manager for the npm CLI, dropped the massive bug at the heart of the npm ecosystem.

Wolfi: Happy Birthday! Shrink your supply chain

ChainGuard’s Ariadne Conill spreads the word about Wolfi following its one-year anniversary since release.

“Named after the smallest octopus, Wolfi is a lightweight GNU software distribution which is designed around minimalism, making it well-suited for containerized environments built with apko.”

👋 This is a 🔥 project and it’s been exciting to follow, even if I’ve only known about it for a few months.

DFRLab: Driving Software Recalls

Sonatype’s Jeff Wayman & Brian Fox simplify Software Supply Chain Security for the masses & highlight recommendations for software manufacturers and policymakers such as:

• Build security into software products by design,

• consume only high-value open source software, components, and projects, and

• require software manufacturers to demonstrate their approach to vetting OSS used in their products.

Understanding the Cyber Resilience Act (CRA)

Ashwin Ramaswami & Mirko Boehm covered this back in early September, but I really enjoyed Steven Vaughan-Nichols recent rant on the matter. The following quote sums it up best.

“The EU assumes all open-source developers are commercial programmers and that your Fortune 500 company will take care of all the CRA's paperwork”

Endor Labs: Five Federal Requirements to be aware of

Chris Hughes, Chief Security Advisor at Endor Labs, highlights the five federal (U.S.) software supply chain security requirements that you should be aware of, including:

• Cybersecurity Executive Order (EO)

• OMB 22-18

• OMB 23-16

• Secure Software Development Framework (SSDF)

• FDA Ensuring Cybersecurity of Medical Devices/Section 524B

DruBOM: SBOM Generator for Drupal Installations

A Drupal module that “integrates Anchore Syft to generate a complete software bill of materials (SBOM) for a Drupal installation, including all PHP dependencies and any other used library from other ecosystems, like Javascript dependencies.”

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! 💌

If you think someone could benefit from this, don’t hesitate to forward.

See you next Monday!
-Kyle