Keynote: Securing Shopify's Software Supply Chain - Shane Lawrence, Shopify

1. Keynote: Securing Shopify's Software Supply Chain - Shane Lawrence, Shopify

Keynote: Securing Shopify's Software Supply Chain

Shane Lawrence, Shopify

Good morning! I'm really excited to be here. Thank you all for coming. Today, I'm going to talk a little bit about securing software supply chains, a topic that has recently gained significant buzz. If you attended the security conference on Monday, you probably noticed several talks about it. Given the many attacks we've seen, this focus is not surprising.

Rather than reiterate information you can find elsewhere, I'll cover some challenges and lessons we at Shopify have learned and explain why I think this topic is crucial. Shopify's use case is a common one—we all use operating systems, languages, libraries, and container orchestrators.

The Critical Need for Software Supply Chain Security

The ideal time for this focus would have been 20 years ago before our infrastructure was built on a tangled web of dependencies. Now is the second-best time. When preparing for this talk, I remembered my first KubeCon in 2017. I realized I'd need many images of containers to give a talk on container images. This leads to discussing the software engineering process.

Imagine you are looking for container images. You search online, finding a free toolbar with great reviews. It claims it needs admin privileges. It looks suspicious because it resembles past malicious programs. Let's move beyond toolbars and consider npm packages. There was a trojan package named "fixerror" caught by researchers. Even trusted npm packages can be replaced by malicious ones.

Broader Problem of Trust

We can't be sure our dependencies are safe. Whether it's npm, curl | bash, or go get, all methods involve some level of risk. These dependencies become part of our software supply chain, and their vulnerabilities become ours.

Understanding the Supply Chain Risks

Physical manufacturers can't avoid supply chains; they need raw materials and specialized labor. Similarly, rejecting all third-party code isn't practical or safe. Cryptographic algorithms, for instance, should not be created by non-experts. An example is the "left-pad" incident on npm where the deletion of 17 lines of code caused widespread failures.

Real-World Attacks

We've seen severe attacks, like SolarWinds and Log4J, that highlight the dire need for enhanced supply chain security. These risks impact vital facets of life, and risks must be managed even if we can't identify all components.

Shopify's Approach

At Shopify, we start with secure development, ensuring developer identity and effective reviews. We automate builds and use Intoto for documenting build steps. Vulnerability scans are conducted using Trivi, and for signatures and attestations, we use Cosign.

For secure deployment, we use our cloud provider's binary authorization and an open-source project called Voucher. We also follow Salsa, especially its initial steps, for guideline implementations.

Challenges and Solutions

Key challenges include detecting non-packaged software and establishing processes for vulnerability triage. Our internal project, Hansel, may address some issues.

Securing the supply chain also involves practices like software updates, least privilege, and anomaly detection using tools like Falco.

Community Involvement

Everyone involved in software development can contribute to securing supply chains. Join relevant SIGs or working groups, use and contribute to open-source tools, and follow best practices outlined by cloud providers and benchmarks.

Conclusion

Supply chain security is critical due to increased cyber-attacks. Evaluate your organization's supply chain and think about your software's origins to improve processes and protect both physical and virtual infrastructures.

Thank you.

Keywords

• Software Supply Chain
• Shopify
• NPM Packages
• Security
• Vulnerability Scanning
• Intoto
• Cosign
• Binary Authorization
• Salsa Guidelines
• Community Involvement

FAQ

Q1: Why is software supply chain security crucial now?

A1: The software supply chain today is built on complex, interconnected dependencies. As cyber attacks increase in sophistication, the integrity of these supply chains becomes critically important to protect.

Q2: What are some of the key challenges in securing a software supply chain?

A2: Challenges include ensuring the identity of developers, automating secure builds, managing vulnerabilities in non-packaged software, and effectively performing vulnerability triage.

Q3: What tools does Shopify use for supply chain security?

A3: Shopify uses a combination of Intoto for documenting build steps, Trivi for vulnerability scans, Cosign for signatures and attestations, and binary authorization for secure deployment.

Q4: How can the broader community contribute to supply chain security?

A4: The community can engage with relevant SIGs or working groups, use and contribute to open-source tools, follow best practices, and always question the origin and security of their dependencies.