Beyond just observing, protecting your whole software supply chain (SEC406)

Beyond Just Observing: Protecting the Whole Software Supply Chain

Introduction

  • Andrew Krug and Zach Allen from Datadog presented on securing the software supply chain.
  • Datadog helps unify DevOps and security teams to identify, triage, and collaborate on security issues across the software stack.

The Evolution of Software Supply Chain Security

  • The concept of software supply chain security dates back to 1984 and a paper by Ken Thompson on the dangers of backdoored executables.
  • Today's software supply chain faces increased technical complexity, language diversity, and a focus on resilience that leads to outdated software running for years.
  • The Linux Foundation's Open Source Security Foundation (OpenSSF) aims to address these challenges.
  • Datadog contributes to the OpenSSF by identifying malicious software packages in the Node.js and Python ecosystems through a project called Guarddog.

Identifying Threats Using Guarddog

  • Guarddog leverages static code analysis to detect malicious patterns in software packages, rather than just vulnerabilities.
  • Since 2022, Guarddog has identified and published over 1,700 malicious open-source packages.
  • Zach discussed various attack vectors observed in the software supply chain, including:
    1. Threat actors creating malicious packages and publishing them to package managers.
    2. Compromise of developer accounts to insert malware into legitimate packages.
    3. Targeting developers directly through backdoored job interview repositories.

Protecting Against Supply Chain Threats

  • Datadog's Software Composition Analysis (SCA) product provides visibility into vulnerabilities in an organization's codebase and runtime environment.
  • Datadog's severity scoring system combines CVSSv3 scores with an assessment of the criticality and exploitability of vulnerabilities in the specific environment.
  • Datadog's Exploit Prevention feature can intercept and block known exploit attempts while vulnerabilities are being remediated.
  • Datadog's Cloud Security Management (CSM) product provides visibility into cloud configuration issues that could increase the blast radius of supply chain attacks.
  • Datadog's new open-source "Software Supply Chain Firewall" project leverages Guarddog detections to prevent the installation of malicious packages.

Conclusion

  • Datadog aims to provide a holistic approach to software supply chain security, addressing threats across code, runtime, and cloud environments.
  • The key is to shift left and prevent vulnerabilities from entering the environment, while also having the visibility and context to detect and respond to threats that do make it to production.
  • Datadog encourages collaboration between developers, operations, and security teams to tackle these complex challenges.

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us