Is supply chain security harder than it needs to be?

Cowboy lassoing a bunch of robots

Many developers just want to ship their features. “Ok, that’s fine, but do it safely,” we say. But what does safely mean?  Do the developers know what to do?  If they know what to do, do they know how to do it?  If they know how to do it, do they have the time to do it?  What if they know how to do it, but their coding agent doesn’t?


What are we asking, is it all that much?  It’s just: scan for vulns, run linters, ship an SBOM, have tests, update your dependencies frequently - but not too frequently, use SLSA, verify the package, did you remember to check that your build caching strategy is safe?  Are you using trusted publishing? Did you remember to turn off the manual flows?  Did you remember to remove pull_request_target?


That’s not a complete list.  Even if it were a complete list today, it wouldn’t be the same list tomorrow. The attackers are always finding another way in, and the people working in supply chain security are doing amazing work coming up with great tools to defend against these evolving attacks.  The problem though is that our users don’t go to the conferences. They don’t follow the blogs. They don’t know about the new tools.  They don’t know about the new attack. And they don’t know how to fix it.


What if we gave developers one thing to adopt?  What if that thing helped them ship the features they want, following today’s best practices, and promising updates as those best practices change? Could that provide better overall supply chain security and an easier development experience? Those are the questions I’m trying to answer with Wrangle.


Wrangle is an easy to adopt reusable GitHub workflow that uses some of the great security tools we already have available.  It runs your tests, builds your package, helps you publish, and it does so while blocking pull_request_target in its builds, scanning for vulns with OSV, looking for CI/CD footguns with Zizmor, generating SBOMs with Syft, securing the build with SLSA, and verifying everything happened the way it should with Ampel.  As new tools come up, they can be added to Wrangle and adopters get them with a simple Dependabot bump.


These aren’t theoretical protections either. Blocking pull_request_target would have prevented Ultralytics.  Warning about tag-pinned actions might have prevented tj-actions/changed-files.  Using a true SLSA Build L3 builder would shut down the cache abuse vector used in Mini Shai-Hulud. Vuln scanning flags your dependencies once the compromise is disclosed.


Of course, Wrangle won’t stop everything. It wouldn’t have caught the XZ backdoor, where an attacker spent years social-engineering a maintainer’s trust. It’s also just a proof-of-concept: the point wasn’t to ship it to users, but to find out whether a safe and easy path could be built at all. Some of the friction that’s left, like setting up and using trusted publishing, is upstream, and suggests other improvements outside the CI/CD system proper. No one’s given Wrangle a real security review yet. The only eyes on it are mine, so be careful and send feedback :)


What I wanted to know when building Wrangle was whether supply chain security has to be this hard, whether we could ask less of developers and be more secure. It seems like we can.


You can find Wrangle on GitHub. Please try it, poke holes in it, open an issue or send a PR. Above all, I'd love to hear what you think. Find me on Mastodon: @inyourbits@infosec.exchange.

Popular posts from this blog

Extending Existing Android Applications - Part One

Image
There are a couple tutorials out there that show you how to reverse engineer Android applications.  Usually these leave you with smali files which you can modify and recompile or they leave you with a .jar file that you can browse with a Java decompiler.  Both of these methods leave something to be desired, namely; a good environment for writing new code. Smali files are a reliable representation of the code, but they're hard to use and they don't integrate with Eclipse and the typical development environment an Android developer is used to.  Generating a jar file is more desirable.  Of course, we need more than just the jar to compile the app; we also need its resources and the android manifest. Most tutorials focus on either apktool to get the smali files and the resources or dex2jar to get a jar file which can then be decompiled.  Here I'm going to demonstrate how to use both apktool and dex2jar together with Eclipse to reverse and then extend an And...
Read more

Extending Existing Android Applications - Part Two

Image
In the last post I explained how to pull an Android APK apart and get it set up in Eclipse and ready for development.  In this post I'll explain how we can modify the app, making both simple modifications as well as actually changing the code to add a new activity. Prerequisites: JDGui - a Java decompilier 7zip (optional) Modify Images: This is a very simple tweak, but a good starting place.  When apktool took the APK apart it extracted all the images as well and stuck them in Eclipse.  They're found under res/drawable-*.  You can modify or replace them as you see fit, just change the file. Modify Strings: Somewhat more interesting is modifying the strings that are displayed or used.  This could be useful if, for example, you wanted to direct an application to a different URL than one it was originally programmed to contact.  Almost all of the strings in the code should be located in res/values/strings.xml.  Double click the st...
Read more

ABA: Arduino + Bluetooth + Android

Image
The Bluetooth module for my Arduino (the JY-MCU) arrived a few weeks ago.  It was really inexpensive ($8.20), but took a long time to ship (3 weeks or so).  I picked it up from Deal Extreme ( http://dx.com/p/jy-mcu-arduino-bluetooth-wireless-serial-port-module-104299 ). Connecting I followed some of the instructions from http://www.hobbycomponents.com/index.php?route=product/product&product_id=116  that showed I had to connect VCC to the 5V pin, Ground to Ground (duh), the Bluetooth module's TXD to Arduino pin D10, and the Bluetooth module's RXD to Arduino pin D11.  In the end it looked like this: Be sure you hook it up correctly! One of the disadvantages of this Bluetooth module is that it apparently doesn't have any power protection.  So you could easily short it out and release the magic smoke. Once it was powered on I was able to scan for it using my Android phone and pair with the Bluetooth module (It shows up as 'linvor' and the pairing code...
Read more