Keynote: Securing Shopify's Software Supply Chain - Shane Lawrence, Shopify
Good morning and thank you all for being here. Today, I will be discussing the topic of securing software supply chains. This has become a popular and important area of focus, given the increasing number of attacks we are witnessing in the wild. While my perspective is based on Shopify's experience, this is a collaborative effort that applies to all organizations that rely on shared operating systems, languages, libraries, and container orchestrators. In this article, I will highlight some of the challenges we have encountered at Shopify and share some lessons learned.
Challenges and Importance of Securing Software Supply Chains
Securing software supply chains is crucial due to the inherent risks involved in using external dependencies. These risks stem from the complexity of modern systems, hidden dependencies, and the potential for compromise or malicious actors. It is essential to recognize the magnitude of these risks and take proactive steps to mitigate them. Trusting our dependencies blindly is no longer an option, and we must find ways to use third-party code safely.
Case Studies: Identifying Suspicious Packages
To illustrate the challenges and risks involved in securing software supply chains, let's consider a few examples. One such example is a suspicious toolbar that promises top-quality, safe container images. The presentation and claims made by this toolbar raise suspicions, making it an obvious red flag. Another example is a trojan hidden within an npm package called "fixer". This package appeared safe at first glance but was later identified as malware. These examples highlight the need for caution when sourcing software dependencies, even from seemingly reputable sources.
Limitations in Trusting Dependencies
When we import external code, we invite potential vulnerabilities into our supply chain. This vulnerability extends beyond just our direct dependencies to dependencies of dependencies. Furthermore, the lack of transparency in non-packaged software makes it difficult to detect potential risks. To address this, we need to build trust through secure development practices, code reviews, and vulnerability scans. Automating builds, ensuring reproducible builds, and generating software bill of materials (S-BOMs) are vital steps in securing the software supply chain.
Solutions for Securing the Software Supply Chain at Shopify
At Shopify, we have been working on several initiatives to enhance the security of our software supply chain. We focus on secure development, define build steps with tools like Toto, perform vulnerability scans using Trivy, generate S-BOMs using CycloneDX, and support attestation and validation using Voucher. By adopting these practices and leveraging tools like Falco for threat detection, we aim to build a more resilient and secure supply chain. We also stress the importance of staying updated, using least privilege, and investing in testing through penetration testing and bug bounty programs.
Collaborative Efforts and Progress in the Industry
Securing the software supply chain requires a collective effort from the industry. Engaging with SIGs (Special Interest Groups), TAGs (Technical Advisory Groups), and working groups can provide valuable insights and guidance. Leveraging open-source tools, following best practices, and adhering to cloud provider security benchmarks are also crucial steps. Ongoing industry efforts, such as the CNCF's whitepaper on supply chain levels for software artifacts (SALSA), provide valuable frameworks for organizations to assess and improve their supply chain security.
Securing software supply chain, challenges, risks, suspicious packages, trust, secure development, reproducible builds, vulnerability scans, software bill of materials (S-BOMs), attestation, validation, threat detection, collaboration, open-source tools, best practices, cloud provider security benchmarks, industry efforts.
Q1: Why is securing the software supply chain important?
Ensuring the security of the software supply chain is crucial due to the increasing number of attacks targeting dependencies. By securing the supply chain, organizations can mitigate the risks associated with hidden vulnerabilities in third-party code and protect their infrastructure from compromise.
Q2: How can organizations secure their software supply chain?
Organizations can adopt secure development practices, perform vulnerability scans, generate software bill of materials (S-BOMs), leverage attestation and validation processes, and use threat detection tools. Additionally, staying updated, implementing least privilege, and conducting regular testing through penetration testing and bug bounty programs are essential steps.
Q3: What are some industry initiatives in securing software supply chains?
Industry initiatives include the establishment of SIGs, TAGs, and working groups to provide guidance and best practices. Open-source tools and frameworks, such as CNCF's SALSA, aim to improve supply chain security. Organizations can also follow cloud provider security benchmarks and collaborate with the industry to address this critical issue.