With Dry January over, we can provide you with another newsletter with increased energy, mental health, and better concentration, which is why the topics for this month are again aimed at increasing your threat modeling capacity.

The TMI line-up for this month:

• This month’s guest article is a contribution by Hashimoto Waturu, on how to evaluate threats and mitigations in supply chain security.
• A Toreon blogposts that will give you some efficient insights on how to optimize notetaking during threat model assessments
• Tips & tricks provides you with yet another useful tool to enhance your workflow.

We are grateful to have the permission to use this guest article pointer in our newsletter, here is a summary with a link to the original Mercari article:

• This blog details our research into attacks and mitigations related to supply chain security, and more practical applications of supply chain security. In our research, we took an approach that leveraged a more concretely defined pipeline model than existing frameworks currently in use.
• We examined the effectiveness of each countermeasure related to supply chain security based on the premise that “the point of attack injection does not necessarily coincide with the point of execution”. In particular, we clarified the limited effectiveness of recently trending countermeasures such as a software bill of materials (SBOM) which are often adopted without much thought given to their actual efficacy as a solution.
• Based on the results of our threat modeling, we proposed the need for a centralized CI pipeline that takes care of operations related to supply chain security through a single point of entry. A centralized CI pipeline can better enforce security requirements to developers, and replace pipelines where responsibility for security ends up delegated to the individual　developers of each component in the pipeline.

I’m Hashimoto Wataru, an intern working in Mercari’s Security Engineering Team.
In this blog post, I’ll be talking about the main topic of my internship at Mercari—supply chain security. Modern software services use many automated processes (CI/CD pipelines). These processes are continuously triggered throughout the development process all the way from developers writing code, to when the software itself is actually built, released, and deployed. These processes are built upon many dependencies both internal and external. Due to these dependencies, supply chain attacks can both directly and indirectly target each step of the pipeline. The number of supply chain attacks has been increasing every year, and the severity and impact of these types of attacks is becoming greater.

Mercari uses a large number of services and various CI/CD tools that have many dependencies, and is by no means immune to these kinds of attacks.

In April 2021, Mercari was directly affected by such an incident due to the compromise of an external code coverage tool included in our CI/CD pipeline. As a result of this incident, we decided to review the security risks related to our supply chain and improve security measures in this area.

>>> Link to the article. <<<

Summary

In this blog, we enumerated various attack methods and mitigations against a concrete pipeline model in order to demonstrate that there is no single perfect measure to ensure supply chain security.

An SBOM is not a silver bullet, and an attestation does not provide an absolute guarantee. Each of these mitigations should be considered to be a single component in a multi-layered defense. That is why it is important to define the necessary requirements clearly and layer your defenses as much as possible. However, this area of research is in its early stages, there are still active discussions, requirements are being reviewed, and related tools are still under development. Therefore, it would be dangerous to blindly trust the proposed frameworks.

It is a necessary and meaningful process to take a fresh look at the pipeline we are using and rethink from the ground up what each of the proposed requirements can and cannot prevent, and how they can be applied and operated in the real world.

Various communities are conducting reviews of supply chain security from their own perspectives. It is our hope that they will complement each other and mutually improve upon each other’s missing perspectives and practicality.

Thank you for reading, if you have any comments or corrections regarding this blog, let us know.

Acknowledgments

This blog was written with the assistance of the Security Engineering team as a product of my security internship at Mercari. In particular, I’m grateful for the support of Hiroki Suezawa who provided me with a lot of knowledge in many of the areas covered in this blog.
Also a special thanks to Takashi Yoneuchi of Flatt Security Inc. who provided us with a great opportunity to discuss overall supply chain security together. Last but not least, thank you to the Mercari CI/CD team who gave me a lot of insight from the perspective of actual operations.

References

• SLSA: Supply Chain Levels for Software Artifacts
• CIS Software Supply Chain Security Guide
• Secure Software Factory, CNCF Security Technical Advisory Group
• Cosign, Sigstore
• Defense Against Novel Threats: Redesigning CI at Mercari, Mercari

Tips & Tricks