• CramHacks
  • Posts
  • [CramHacks] Newsletter #8: 👻Spooky Supply Chain👻

[CramHacks] Newsletter #8: 👻Spooky Supply Chain👻

CramHacks Chronicles: Key Insights On Software Supply Chain Risks

🥳 Happy Monday! 🥳 

Stickers will be shipped soon - and we still have some left! Send me an email with your shipping info if you want some early adopter CramHacks’ stickers!

Software Supply Chain Security

Vishal Garg has shared what must be the most comprehensive list of Software Supply Chain resources. There’s a reason I’m listing this first; it’s awesome.

👋 If someone wants to add CramHacks under “Experts”, I won’t be upset 😂.

Beautifully written and concise threats overview page. You’re probably seeing this image all over LinkedIn if you follow others in the supply chain community; because it’s awesome. The page also shares real-world examples of supply chain incidents for each category mentioned and notes how SLSA can help.

OWASP has launched the BOM Maturity Model; providing a formalized structure in which bill of materials can be evaluated for a wide range of capabilities, used as a benchmark, and offers customization via profiles.

👋 This is definitely a necessity. Everyone and their grandmas are producing SBOMs lately, but there’s limited expertise to know when your SBOM is meeting or exceeding quality standards. An SBOM is as useful as the data it contains and so if you feed it garbage, you get garbage value.

Sadly, the release of this model did not include an automated tool to score your SBOMs. But! sbombenchmark.dev is an automated SBOM benchmark solution. Shoutout to Semgrep’s Gautam Bhat for letting me know about this website.

cdxgen 9.9.0, the CycloneDX Generator “can now identify reachable now identify reachable components for Java, JavaScript, and TypeScript applications. The information is available for downstream SCA and ASPM tools to prioritize the application vulnerabilities better and cut down false positives.”

👋 Speaking of quality SBOMs re: the previous article; reachability for SBOMs is a sweet value add. The quick summary is that it will tell you where in your projects are you using direct dependencies (it does not currently support transitive dependencies). However, given the expectation for SBOMs to be traded like Pokémon cards, I wouldn’t want to include this information. But, it’s still nice for internal use.

There is an important distinction in that cdxgen simply identifies where a dependency is used, whereas, for example, Semgrep’s reachability identifies the explicit usage of vulnerable functions; so it’s quite a bit more in depth.

GUAC now supports ingesting OpenVEX documents to map relations between software components, vulnerabilities, and their exploitability status.

👋 There is a powerhouse team supporting GUAC. Kudos to you all for another great integration.

Seth Larson documented his path to patching CVE-2023-4863 across the Python ecosystem. The article covers how he approached identifying vulnerable projects, contacting each project, waiting for patched releases, and notifying users of the vulnerable bundled component.

👋 I’m still amazed that every project maintainer responded and released a patched version 🤣. But seriously, that’s a testament to the community!

Tbh, if you don’t know that vulnerability reporting is a mess, I’m surprised you’re reading this newsletter. But, I liked how Cynthia Brumfield leaned on recent events to justify lukewarm takes.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! 💌

If you think someone could benefit from this, don’t hesitate to forward.

See you next Monday!
-Kyle