• CramHacks
  • Posts
  • [CramHacks] Newsletter #7: Supply Chain Zzz's

[CramHacks] Newsletter #7: Supply Chain Zzz's

CramHacks Chronicles: Key Insights On Software Supply Chain Risks

Author

Kyle Kelly
October 25, 2023

🥳 Happy Monday! 🥳 

Life Update

Back in San Diego! I finally decided to set up my office, and by that I mean I put a desk in the room - so now it’s official.

The weather is still amazing, but I need to do a better job of getting myself outside every day. I also need to figure out how to eat 3 meals per day. Idk where people find the time and I’m far too frugal to eat out for every meal. Anyway, we can figure out that health stuff later… I think that’s how it works?

CramHacks Newsletter #0 stickers are in!!! We have 125 stickers for the OGs. If you want some, just send me your shipping info along with your SSN and I’ll send them your way. Please don’t actually send me your SSN…

Re: Is Coffee Supply Chain; that was a bit of a joke, but how about sleep? That has got to be supply chain. I’ve been thinking about buying a WHOOP but I strongly dislike subscription services. This should be a business expense #SupplyChain.

Software Supply Chain Security

👋 I haven’t been around the block for very long, but in my opinion, Sonatype’s Annual State of the Software Supply Chain Reports are simply… the best.

I’ll be honest, I haven’t made it all the way through yet, but of the 60+ page report, every page I’ve read thus far has had a “WOW” moment. I look forward to taking a closer look in the very near future.

huntr.dev, founded in 2020, was a platform for security researchers to get paid to find & fix security vulnerabilities in open-source software. In early August, Business Wire announced that Protect AI would be acquiring huntr.dev and launching the huntr AI/ML bug bounty platform.

The platform is now only supporting vulnerability and fix submissions related to AI and ML libraries and frameworks.

👋 I’m not saying huntr.dev was the greatest site of all time; I’ve reviewed far too many CVEs originating from there to say that… But I don’t anticipate huntr being around for long with this business model.

Shinobi Security’s Varun Uppal shares a pretty sweet demo of Shinobi being hooked up with Crash Override’s Chalk, to introduce application awareness.

👋 First time I’ve heard of Shinobi, but this demo is awesome. Considering they’re a stealth startup, I can only assume Shinobi, which translates to “one who sneaks”, is a placeholder - but it’s also a sweet name if not.

AppSec Turbocharged: Semgrep, Monad, and Snowflake

Monad’s Darwin Salazar shares how organizations can harness the capabilities of Semgrep, Monad, and Snowflake for peak efficiency, coverage, and visibility into codebase activities.

  • Semgrep: Serves as a comprehensive application security platform, offering vulnerability scanning, secret scanning, and a range of other features.

  • Monad: Acts as a security data ELT platform, managing data infrastructure and transformation, deduplication, and normalization.

  • Snowflake: Provides a unified data cloud platform, consolidating information for quick and effective decision-making and advanced data visualization.

Endor Labs: SCA tools can't agree if something is a CVE

Endor Lab’s Henrik Plate explains why different tools often come to different conclusions and provides real-world examples to back up his claims. Noteworthy problems discussed are:

  • error-prone mappings between CPEs and ecosystem-specific identifiers,

  • Forks + Distribution channels,

  • Multiple artifacts + Rebundling, and

  • Renamed + Unmaintained projects

👋 I found the first bullet particularly interesting; I’ve been blessed to start my journey in the software supply chain security space with resources like OSV.

Tom Alrich discusses the complexity and lack of a fixed specification for VEX documents in different formats, emphasizing the need to constrain VEX specs to reduce development costs and make tool production feasible.

👋 Yeah, I have no clue how the ins-and-outs of VEX work; but for the readers out there, here’s my very high level overview:

VEX (Vulnerability Exploitability eXchange) aims to allow a software supplier or other parties to assert the status of a vulnerability in specific products or versions (Not Affected, Affected, Fixed, or Under Investigation).

Molly Weisner, Reporter for the Federal times, shares how the GSA (General Services Administration) is testing a voluntary questionnaire for vendors to self-certify the authenticity and security of the IT products and services they sell to government agencies.

👋 I know I know… self-assessment… but honestly I’ve grown to like them in the early-stages. Would adoption of this self-assessment at scale lead to significant improvement in supply chain security? Probably not, but it gives organizations a glance at what is expected and goals to achieve so that when regulation goes beyond a self-assessment, there are no excuses.

Until Next Time! đź‘‹ 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! đź’Ś

If you think someone could benefit from this, don’t hesitate to forward.

See you next Monday!
-Kyle