by __jf__ on 12/2/20, 5:16 PM with 0 comments
The first in the technical domain: a pentest finding in a previous project. We were using pip with requirements.txt files. Since this doesn’t include Python package hashes a compromised mirror or DNS poisoning could lead to malicious code being executed in our build pipeline. Recommendation was to move to pyenv and a Pipfile.lock because it does support hashes and also provides deterministic dependencies.
The 2nd is a fascinating example in the administrative domain that I stumbled upon while looking for something else. It’s NASA Glenn Research Center trying to perform Country of Origin Verification of OSS software. Apparently the Octave [0], Cygwin [1] and GIMP [2] mailing lists were fortunate enough to be included in this process. Given the timespan between the posts this seems to be taken rather seriously. I also found the likely reason in [3]: since 2019 they have a new supply chain risk management proces. Slide 10 gives some additional background.
Can you share how supply chain risks are mitigated in your organization by either technical and/or administrative controls?
[0] https://octave.1599824.n4.nabble.com/Country-of-Origin-Verification-3144-td4696407.html
[1] http://cygwin.1069669.n5.nabble.com/Country-Of-Origin-Verification-8944-td152055.html
[2] https://www.talkend.net/post/75432.html
[3] https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/SSCA/Spring_2019/9MayAM1.2_NASA_SSCA_May_9th.pdf