SlideShare a Scribd company logo

What is the Secure Supply Chain and the Current State of the PHP Ecosystem

sparkfabrik
sparkfabrik

In this talk I’ll present the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts. There will be also a demo of the mentioned tools in action to implement a secure supply chain pipeline for your Drupal projects.

Technology
1 of 44
Download to read offline
WHAT IS THE SECURE SOFTWARE SUPPLY CHAIN AND THE CURRENT STATE OF THE PHP ECOSYSTEM
Paolo Mainardi ➔ Co-founder and CTO @Sparkfabrik ➔ Drupal.org profile - Webprofiler module (lussoluca) ➔ Linux Foundation Europe Advisory Member ➔ Blog: paolomainardi.com ➔ linkedin.com/in/paolomainardi ➔ continuousdelivery.social/@paolomainardi ➔ paolo.mainardi@sparkfabrik.com
➔ What is a Software Supply Chain ➔ State of the PHP ecosystem ➔ Threats and mitigations with digital signatures, attestations and SBOM ➔ DEMO THE SESSION
“A supply chain is a network of individuals and companies who are involved in creating a product and delivering it to the consumer”
https://slsa.dev/spec/v0.1/#supply-chain-threats
Application A MODERN DRUPAL APPLICATION
Application A MODERN DRUPAL APPLICATION Dependencies
Application A MODERN DRUPAL APPLICATION Dependencies Operating system
Application A MODERN DRUPAL APPLICATION Dependencies Operating system CI/CD Pipeline INTERNAL
Application A MODERN DRUPAL APPLICATION Dependencies Operating system CI/CD Pipeline INTERNAL EXTERNAL
Application A MODERN DRUPAL APPLICATION Dependencies Operating system CI/CD Pipeline INTERNAL EXTERNAL Cloud platform
Application A MODERN DRUPAL APPLICATION Dependencies Operating system CI/CD Pipeline INTERNAL EXTERNAL Cloud platform Local or cloud development environment
Application THREATS IN THE SUPPLY CHAIN Dependencies Operating system CI/CD Pipeline INTERNAL EXTERNAL Local or cloud development environment Cloud platform = ATTACK VECTOR
2020 About 18,000 customers of SolarWinds installed the infected updates, including firms like Microsoft (Cisco, Intel, Deloitte) and top government US agencies like Pentagon, Homeland security, National Nuclear Security etc.
https://www.sonatype.com/state-of-the-software-supply-chain/introduction
https://linuxfoundation.eu/cyber-resilience-act
Keynote: The Next Steps in Software Supply Chain Security - Brandon Lum, Software Engineer, Google
STATE OF THE PHP ECOSYSTEM
PHP PACKAGE MANAGEMENT HISTORY 2009 PHP 5.3 and PHP-FIG group Namespaces and PSR-0 autoloading standard 2012 Composer A modern and easy to use package manager, based on top of recent language improvements and ecosystem evolutions. 1999 PEAR - PHP Extension and Application Repository Created by Stig Bakken, with the goal to “provide reusable components, lead innovation in PHP, provide best practices for PHP development and educate developers.” Included in the PHP runtime. 2010 2004 2008 2005
COMPOSER STATS: >300K PACKAGES AND +3.5M VERSIONS
COMPOSER STATS: >2B INSTALLED PACKAGES PER MONTH
COMPOSER BUILT-IN SECURITY PROTECTIONS composer require drupal / core-recommended : 10.1.0 Namespace Library name Only vendor-namespaced packages allowed (eg: NPM allows root packages) Code is always hosted on a git repository, only metadata goes on packagist.org (eg: NPM hosts the code) Version Public packagist.org Custom repositories Composer Repositories are Canonical by default. (no dependency confusion) 1 2 https://blog.packagist.com/preventing-dependency-hijacking packages.drupal.org
THE LATEST SUPPLY CHAIN ATTACKS ON PHP March 29, 2022 PHP Supply Chain Attack on PEAR “In this article we present two bugs, both exploitable for more than 15 years. An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server.” May 3, 2023 Packagist.org maintainer account takeover “An attacker accessed an inactive account on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes” April 29, 2021 PHP Supply Chain Attack on Composer “A critical vulnerability in the source code of Composer which is used by Packagist. It allowed us to execute arbitrary system commands on the Packagist.org server” October 4, 2022 Securing Developer Tools: A New Supply Chain Attack on PHP “A new critical vulnerability in similar components. It allowed taking control of the server distributing information about existing PHP software packages, and ultimately compromising every organization that uses them” And counting https://www.sonatype.com/resources/vulnerability-timeline
SO WHAT ? WHERE SHOULD WE START ?
Application Dependencies Operating system
Application Dependencies Operating system OCI Image - https://opencontainers.org Dev environments ➔ A way to define application and system dependencies in a reproducible way with ➔ Dockerfile ➔ A standard and agnostic artifact to deploy on Kubernetes, Lambda, Cloud Run etc… ➔ Cloud native tooling (SBOM, Signatures etc..)
OCI IMAGES DEEP-DIVE
OCI stands for Open Container Initiative. OCI defines the specifications and standards for container technologies (Runtime, Image and Distribution spec). Container registries can be also used to store other kind of artifacts (like Helm charts) or just any arbitrary files.
What is the trusting model behind a Container Image, or in general, a digital artifact? How can i be sure that what I’m running is coming from a trusted source?
https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf 1984
SECURE SOFTWARE SUPPLY CHAIN CHECKLIST ✅ Who built it, when and how (Signatures and Provenance Attestations) ✅ The list of things who made the artifact (SBOM - Software Bill of Material)
DIGITAL SIGNATURES 101 Integrity Ensure the data signed was not altered. Authenticity Attest that the data was sent by the signer. Non-repudiation Ensure that the signer cannot deny the authenticity of the signature.
Managing keys is hard Distribution, Storage, Compromise
DIGITAL SIGNATURES - SIGSTORE Sigstore is an OSS project under the umbrella of OpenSSF foundation. Fast growing community and mainstream adopted Used in Kubernetes and many other big vendors (Github, Rubygems, Arch Linux etc..)
DIGITAL SIGNATURES - SIGSTORE Keyless signing of any software artifact Signatures metadata are stored in a public tamper-resistant log Signatures are stored alongside images in OCI registry
SBOM: SOFTWARE BILL OF MATERIALS A list of “ingredients” for a software artifact Can be used for: ➔ Vulnerability scanning ➔ Software transparency ➔ License policy ➔ Find abandoned dependencies
SBOM FOR CONTAINERS Creating a SBOM for an artifact is a complex problem Dependencies live at different levels: ➔ Operating system (Windows, Debian, Alpine etc…) ➔ Operating system dependencies (RPM, DEB, APK, PKG…) ➔ Application dependencies (Composer, NPM, Rubygems, Pypi, etc…) ➔ Static binaries and their dependencies (Go, Rust etc…)
SBOM - Tools $ docker sbom
DEMO
DruBOM - Drupal Bill of Materials https://www.drupal.org/project/drubom DruBom is an Drupal module for generating a Software Bill of Materials (SBOM) from a Drupal installation. It is still a work in progress, any contribution is welcome: Syft integration, betters scanning and data reporting, more SBOM formats, CI, tests, $you name it
Join us for contribution opportunities 17-20 October, 2023 Room 4.1 & 4.2 Mentored Contribution First Time Contributor Workshop General Contribution #DrupalContributions 17 - 20 October: 9:00 - 18:00 Room 4.1 17 October: 17:15 - 18:00 Room 2.4 18 October : 10:30 - 11:15 Room 2.4 20 October : 09:00 - 12:30 Room 4.2 20 October : 09:00 – 18:00 Room 4.2
Takeaways ➔ OCI Containers as a single unit of deployment ➔ Digital Signatures with Sigstore and SBOM ➔ DruBOM module - Drupal Bill of Materials ➔ * Automate your dependencies management with Github DependaBot or RenovateBot for all other platforms. ➔ * Add Drupal Security Advisories for Composer to your composer.json
What did you think? Please fill in this session survey directly from the Mobile App.

Recommended

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps ParadigmNaLUG
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017Patrick Chanezon
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudsparkfabrik
 
Common primitives in Docker environments
Common primitives in Docker environmentsCommon primitives in Docker environments
Common primitives in Docker environmentsalexandru giurgiu
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 

Recommended

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps ParadigmNaLUG
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017Patrick Chanezon
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudsparkfabrik
 
Common primitives in Docker environments
Common primitives in Docker environmentsCommon primitives in Docker environments
Common primitives in Docker environmentsalexandru giurgiu
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Arun prasath
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018Krishna-Kumar
 
Containerizing legacy applications
Containerizing legacy applicationsContainerizing legacy applications
Containerizing legacy applicationsAndrew Kirkpatrick
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
DevOps-Roadmap
DevOps-RoadmapDevOps-Roadmap
DevOps-RoadmapBnhNguynHuy1
 
Red Hat Forum Benelux 2015
Red Hat Forum Benelux 2015Red Hat Forum Benelux 2015
Red Hat Forum Benelux 2015Microsoft
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiryVishwas N
 
8 good reasons to learn docker
8 good reasons to learn docker8 good reasons to learn docker
8 good reasons to learn dockerprabhasathya
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
PHP Buildpacks in the Cloud on Bluemix
PHP Buildpacks in the Cloud on BluemixPHP Buildpacks in the Cloud on Bluemix
PHP Buildpacks in the Cloud on BluemixIBM
 
Cloud Foundry for PHP developers
Cloud Foundry for PHP developersCloud Foundry for PHP developers
Cloud Foundry for PHP developersDaniel Krook
 
HPC Cloud Burst Using Docker
HPC Cloud Burst Using DockerHPC Cloud Burst Using Docker
HPC Cloud Burst Using DockerIRJET Journal
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSJan Löffler
 
DockerDay2015: Keynote
DockerDay2015: KeynoteDockerDay2015: Keynote
DockerDay2015: KeynoteDocker-Hanoi
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
 
Docker - BWI Innovation Talk
Docker - BWI Innovation TalkDocker - BWI Innovation Talk
Docker - BWI Innovation TalkTimm Heuss
 
Containers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsContainers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsJules Pierre-Louis
 
CI/CD Pipeline with Docker
CI/CD Pipeline with DockerCI/CD Pipeline with Docker
CI/CD Pipeline with Dockerkushalsingh007
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionSergey Sotnikov
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetessparkfabrik
 
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...sparkfabrik
 
IAD 2023 - 22 Years of Agile and all I got is this lousy t-shirt
IAD 2023 - 22 Years of Agile and all I got is this lousy t-shirtIAD 2023 - 22 Years of Agile and all I got is this lousy t-shirt
IAD 2023 - 22 Years of Agile and all I got is this lousy t-shirtsparkfabrik
 

More Related Content

Similar to What is the Secure Supply Chain and the Current State of the PHP Ecosystem

Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Arun prasath
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018Krishna-Kumar
 
Containerizing legacy applications
Containerizing legacy applicationsContainerizing legacy applications
Containerizing legacy applicationsAndrew Kirkpatrick
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
Red Hat Forum Benelux 2015
Red Hat Forum Benelux 2015Red Hat Forum Benelux 2015
Red Hat Forum Benelux 2015Microsoft
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiryVishwas N
 
8 good reasons to learn docker
8 good reasons to learn docker8 good reasons to learn docker
8 good reasons to learn dockerprabhasathya
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
PHP Buildpacks in the Cloud on Bluemix
PHP Buildpacks in the Cloud on BluemixPHP Buildpacks in the Cloud on Bluemix
PHP Buildpacks in the Cloud on BluemixIBM
 
Cloud Foundry for PHP developers
Cloud Foundry for PHP developersCloud Foundry for PHP developers
Cloud Foundry for PHP developersDaniel Krook
 
HPC Cloud Burst Using Docker
HPC Cloud Burst Using DockerHPC Cloud Burst Using Docker
HPC Cloud Burst Using DockerIRJET Journal
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSJan Löffler
 
DockerDay2015: Keynote
DockerDay2015: KeynoteDockerDay2015: Keynote
DockerDay2015: KeynoteDocker-Hanoi
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
 
Docker - BWI Innovation Talk
Docker - BWI Innovation TalkDocker - BWI Innovation Talk
Docker - BWI Innovation TalkTimm Heuss
 
Containers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsContainers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsJules Pierre-Louis
 
CI/CD Pipeline with Docker
CI/CD Pipeline with DockerCI/CD Pipeline with Docker
CI/CD Pipeline with Dockerkushalsingh007
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionSergey Sotnikov
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetessparkfabrik
 

Similar to What is the Secure Supply Chain and the Current State of the PHP Ecosystem (20)

Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018
 
Containerizing legacy applications
Containerizing legacy applicationsContainerizing legacy applications
Containerizing legacy applications
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
DevOps-Roadmap
DevOps-RoadmapDevOps-Roadmap
DevOps-Roadmap
 
Red Hat Forum Benelux 2015
Red Hat Forum Benelux 2015Red Hat Forum Benelux 2015
Red Hat Forum Benelux 2015
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiry
 
8 good reasons to learn docker
8 good reasons to learn docker8 good reasons to learn docker
8 good reasons to learn docker
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
PHP Buildpacks in the Cloud on Bluemix
PHP Buildpacks in the Cloud on BluemixPHP Buildpacks in the Cloud on Bluemix
PHP Buildpacks in the Cloud on Bluemix
 
Cloud Foundry for PHP developers
Cloud Foundry for PHP developersCloud Foundry for PHP developers
Cloud Foundry for PHP developers
 
HPC Cloud Burst Using Docker
HPC Cloud Burst Using DockerHPC Cloud Burst Using Docker
HPC Cloud Burst Using Docker
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWS
 
DockerDay2015: Keynote
DockerDay2015: KeynoteDockerDay2015: Keynote
DockerDay2015: Keynote
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
 
Docker - BWI Innovation Talk
Docker - BWI Innovation TalkDocker - BWI Innovation Talk
Docker - BWI Innovation Talk
 
Containers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsContainers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical Solutions
 
CI/CD Pipeline with Docker
CI/CD Pipeline with DockerCI/CD Pipeline with Docker
CI/CD Pipeline with Docker
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
 

More from sparkfabrik

20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...sparkfabrik
 
IAD 2023 - 22 Years of Agile and all I got is this lousy t-shirt
IAD 2023 - 22 Years of Agile and all I got is this lousy t-shirtIAD 2023 - 22 Years of Agile and all I got is this lousy t-shirt
IAD 2023 - 22 Years of Agile and all I got is this lousy t-shirtsparkfabrik
 
2023 - Drupalcon - How Drupal builds your pages
2023 - Drupalcon - How Drupal builds your pages2023 - Drupalcon - How Drupal builds your pages
2023 - Drupalcon - How Drupal builds your pagessparkfabrik
 
2023 - TAC23 - Agile HR - Racconti dal fronte
2023 - TAC23 - Agile HR - Racconti dal fronte2023 - TAC23 - Agile HR - Racconti dal fronte
2023 - TAC23 - Agile HR - Racconti dal frontesparkfabrik
 
UX e Web sostenibile (UXday 2023).pdf
UX e Web sostenibile (UXday 2023).pdfUX e Web sostenibile (UXday 2023).pdf
UX e Web sostenibile (UXday 2023).pdfsparkfabrik
 
KCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with CrossplaneKCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with Crossplanesparkfabrik
 
Come Drupal costruisce le tue pagine
Come Drupal costruisce le tue pagineCome Drupal costruisce le tue pagine
Come Drupal costruisce le tue paginesparkfabrik
 
Drupal 10: un framework PHP di sviluppo Cloud Native moderno
Drupal 10: un framework PHP di sviluppo Cloud Native modernoDrupal 10: un framework PHP di sviluppo Cloud Native moderno
Drupal 10: un framework PHP di sviluppo Cloud Native modernosparkfabrik
 
Do you know what your Drupal is doing Observe it! (DrupalCon Prague 2022)
Do you know what your Drupal is doing Observe it! (DrupalCon Prague 2022)Do you know what your Drupal is doing Observe it! (DrupalCon Prague 2022)
Do you know what your Drupal is doing Observe it! (DrupalCon Prague 2022)sparkfabrik
 
Do you know what your Drupal is doing_ Observe it!
Do you know what your Drupal is doing_ Observe it!Do you know what your Drupal is doing_ Observe it!
Do you know what your Drupal is doing_ Observe it!sparkfabrik
 
Progettare e sviluppare soluzioni serverless con AWS
Progettare e sviluppare soluzioni serverless con AWSProgettare e sviluppare soluzioni serverless con AWS
Progettare e sviluppare soluzioni serverless con AWSsparkfabrik
 
From React to React Native - Things I wish I knew when I started
From React to React Native - Things I wish I knew when I startedFrom React to React Native - Things I wish I knew when I started
From React to React Native - Things I wish I knew when I startedsparkfabrik
 
Headless Drupal: A modern approach to (micro)services and APIs
Headless Drupal: A modern approach to (micro)services and APIsHeadless Drupal: A modern approach to (micro)services and APIs
Headless Drupal: A modern approach to (micro)services and APIssparkfabrik
 
Cloud-Native Drupal: a survival guide
Cloud-Native Drupal: a survival guideCloud-Native Drupal: a survival guide
Cloud-Native Drupal: a survival guidesparkfabrik
 
Mobile Development: una introduzione per Web Developers
Mobile Development: una introduzione per Web DevelopersMobile Development: una introduzione per Web Developers
Mobile Development: una introduzione per Web Developerssparkfabrik
 
Retro gaming machine made with Javascript and Kubernetes
Retro gaming machine made with Javascript and Kubernetes Retro gaming machine made with Javascript and Kubernetes
Retro gaming machine made with Javascript and Kubernetes sparkfabrik
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes waysparkfabrik
 
Applicazioni Serverless con AWS
Applicazioni Serverless con AWSApplicazioni Serverless con AWS
Applicazioni Serverless con AWSsparkfabrik
 
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturaGitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturasparkfabrik
 
The path to a serverless-native era with Kubernetes
The path to a serverless-native era with KubernetesThe path to a serverless-native era with Kubernetes
The path to a serverless-native era with Kubernetessparkfabrik
 

More from sparkfabrik (20)

20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
 
IAD 2023 - 22 Years of Agile and all I got is this lousy t-shirt
IAD 2023 - 22 Years of Agile and all I got is this lousy t-shirtIAD 2023 - 22 Years of Agile and all I got is this lousy t-shirt
IAD 2023 - 22 Years of Agile and all I got is this lousy t-shirt
 
2023 - Drupalcon - How Drupal builds your pages
2023 - Drupalcon - How Drupal builds your pages2023 - Drupalcon - How Drupal builds your pages
2023 - Drupalcon - How Drupal builds your pages
 
2023 - TAC23 - Agile HR - Racconti dal fronte
2023 - TAC23 - Agile HR - Racconti dal fronte2023 - TAC23 - Agile HR - Racconti dal fronte
2023 - TAC23 - Agile HR - Racconti dal fronte
 
UX e Web sostenibile (UXday 2023).pdf
UX e Web sostenibile (UXday 2023).pdfUX e Web sostenibile (UXday 2023).pdf
UX e Web sostenibile (UXday 2023).pdf
 
KCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with CrossplaneKCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with Crossplane
 
Come Drupal costruisce le tue pagine
Come Drupal costruisce le tue pagineCome Drupal costruisce le tue pagine
Come Drupal costruisce le tue pagine
 
Drupal 10: un framework PHP di sviluppo Cloud Native moderno
Drupal 10: un framework PHP di sviluppo Cloud Native modernoDrupal 10: un framework PHP di sviluppo Cloud Native moderno
Drupal 10: un framework PHP di sviluppo Cloud Native moderno
 
Do you know what your Drupal is doing Observe it! (DrupalCon Prague 2022)
Do you know what your Drupal is doing Observe it! (DrupalCon Prague 2022)Do you know what your Drupal is doing Observe it! (DrupalCon Prague 2022)
Do you know what your Drupal is doing Observe it! (DrupalCon Prague 2022)
 
Do you know what your Drupal is doing_ Observe it!
Do you know what your Drupal is doing_ Observe it!Do you know what your Drupal is doing_ Observe it!
Do you know what your Drupal is doing_ Observe it!
 
Progettare e sviluppare soluzioni serverless con AWS
Progettare e sviluppare soluzioni serverless con AWSProgettare e sviluppare soluzioni serverless con AWS
Progettare e sviluppare soluzioni serverless con AWS
 
From React to React Native - Things I wish I knew when I started
From React to React Native - Things I wish I knew when I startedFrom React to React Native - Things I wish I knew when I started
From React to React Native - Things I wish I knew when I started
 
Headless Drupal: A modern approach to (micro)services and APIs
Headless Drupal: A modern approach to (micro)services and APIsHeadless Drupal: A modern approach to (micro)services and APIs
Headless Drupal: A modern approach to (micro)services and APIs
 
Cloud-Native Drupal: a survival guide
Cloud-Native Drupal: a survival guideCloud-Native Drupal: a survival guide
Cloud-Native Drupal: a survival guide
 
Mobile Development: una introduzione per Web Developers
Mobile Development: una introduzione per Web DevelopersMobile Development: una introduzione per Web Developers
Mobile Development: una introduzione per Web Developers
 
Retro gaming machine made with Javascript and Kubernetes
Retro gaming machine made with Javascript and Kubernetes Retro gaming machine made with Javascript and Kubernetes
Retro gaming machine made with Javascript and Kubernetes
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
 
Applicazioni Serverless con AWS
Applicazioni Serverless con AWSApplicazioni Serverless con AWS
Applicazioni Serverless con AWS
 
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturaGitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
 
The path to a serverless-native era with Kubernetes
The path to a serverless-native era with KubernetesThe path to a serverless-native era with Kubernetes
The path to a serverless-native era with Kubernetes
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

What is the Secure Supply Chain and the Current State of the PHP Ecosystem

  • 1. WHAT IS THE SECURE SOFTWARE SUPPLY CHAIN AND THE CURRENT STATE OF THE PHP ECOSYSTEM
  • 2. Paolo Mainardi ➔ Co-founder and CTO @Sparkfabrik ➔ Drupal.org profile - Webprofiler module (lussoluca) ➔ Linux Foundation Europe Advisory Member ➔ Blog: paolomainardi.com ➔ linkedin.com/in/paolomainardi ➔ continuousdelivery.social/@paolomainardi ➔ paolo.mainardi@sparkfabrik.com
  • 3. ➔ What is a Software Supply Chain ➔ State of the PHP ecosystem ➔ Threats and mitigations with digital signatures, attestations and SBOM ➔ DEMO THE SESSION
  • 4. “A supply chain is a network of individuals and companies who are involved in creating a product and delivering it to the consumer”
  • 7. Application A MODERN DRUPAL APPLICATION Dependencies
  • 8. Application A MODERN DRUPAL APPLICATION Dependencies Operating system
  • 9. Application A MODERN DRUPAL APPLICATION Dependencies Operating system CI/CD Pipeline INTERNAL
  • 10. Application A MODERN DRUPAL APPLICATION Dependencies Operating system CI/CD Pipeline INTERNAL EXTERNAL
  • 11. Application A MODERN DRUPAL APPLICATION Dependencies Operating system CI/CD Pipeline INTERNAL EXTERNAL Cloud platform
  • 12. Application A MODERN DRUPAL APPLICATION Dependencies Operating system CI/CD Pipeline INTERNAL EXTERNAL Cloud platform Local or cloud development environment
  • 13. Application THREATS IN THE SUPPLY CHAIN Dependencies Operating system CI/CD Pipeline INTERNAL EXTERNAL Local or cloud development environment Cloud platform = ATTACK VECTOR
  • 14. 2020 About 18,000 customers of SolarWinds installed the infected updates, including firms like Microsoft (Cisco, Intel, Deloitte) and top government US agencies like Pentagon, Homeland security, National Nuclear Security etc.
  • 16.
  • 18. Keynote: The Next Steps in Software Supply Chain Security - Brandon Lum, Software Engineer, Google
  • 19. STATE OF THE PHP ECOSYSTEM
  • 20. PHP PACKAGE MANAGEMENT HISTORY 2009 PHP 5.3 and PHP-FIG group Namespaces and PSR-0 autoloading standard 2012 Composer A modern and easy to use package manager, based on top of recent language improvements and ecosystem evolutions. 1999 PEAR - PHP Extension and Application Repository Created by Stig Bakken, with the goal to “provide reusable components, lead innovation in PHP, provide best practices for PHP development and educate developers.” Included in the PHP runtime. 2010 2004 2008 2005
  • 21. COMPOSER STATS: >300K PACKAGES AND +3.5M VERSIONS
  • 22. COMPOSER STATS: >2B INSTALLED PACKAGES PER MONTH
  • 23. COMPOSER BUILT-IN SECURITY PROTECTIONS composer require drupal / core-recommended : 10.1.0 Namespace Library name Only vendor-namespaced packages allowed (eg: NPM allows root packages) Code is always hosted on a git repository, only metadata goes on packagist.org (eg: NPM hosts the code) Version Public packagist.org Custom repositories Composer Repositories are Canonical by default. (no dependency confusion) 1 2 https://blog.packagist.com/preventing-dependency-hijacking packages.drupal.org
  • 24. THE LATEST SUPPLY CHAIN ATTACKS ON PHP March 29, 2022 PHP Supply Chain Attack on PEAR “In this article we present two bugs, both exploitable for more than 15 years. An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server.” May 3, 2023 Packagist.org maintainer account takeover “An attacker accessed an inactive account on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes” April 29, 2021 PHP Supply Chain Attack on Composer “A critical vulnerability in the source code of Composer which is used by Packagist. It allowed us to execute arbitrary system commands on the Packagist.org server” October 4, 2022 Securing Developer Tools: A New Supply Chain Attack on PHP “A new critical vulnerability in similar components. It allowed taking control of the server distributing information about existing PHP software packages, and ultimately compromising every organization that uses them” And counting https://www.sonatype.com/resources/vulnerability-timeline
  • 25. SO WHAT ? WHERE SHOULD WE START ?
  • 27. Application Dependencies Operating system OCI Image - https://opencontainers.org Dev environments ➔ A way to define application and system dependencies in a reproducible way with ➔ Dockerfile ➔ A standard and agnostic artifact to deploy on Kubernetes, Lambda, Cloud Run etc… ➔ Cloud native tooling (SBOM, Signatures etc..)
  • 29. OCI stands for Open Container Initiative. OCI defines the specifications and standards for container technologies (Runtime, Image and Distribution spec). Container registries can be also used to store other kind of artifacts (like Helm charts) or just any arbitrary files.
  • 30. What is the trusting model behind a Container Image, or in general, a digital artifact? How can i be sure that what I’m running is coming from a trusted source?
  • 32. SECURE SOFTWARE SUPPLY CHAIN CHECKLIST ✅ Who built it, when and how (Signatures and Provenance Attestations) ✅ The list of things who made the artifact (SBOM - Software Bill of Material)
  • 33. DIGITAL SIGNATURES 101 Integrity Ensure the data signed was not altered. Authenticity Attest that the data was sent by the signer. Non-repudiation Ensure that the signer cannot deny the authenticity of the signature.
  • 34. Managing keys is hard Distribution, Storage, Compromise
  • 35. DIGITAL SIGNATURES - SIGSTORE Sigstore is an OSS project under the umbrella of OpenSSF foundation. Fast growing community and mainstream adopted Used in Kubernetes and many other big vendors (Github, Rubygems, Arch Linux etc..)
  • 36. DIGITAL SIGNATURES - SIGSTORE Keyless signing of any software artifact Signatures metadata are stored in a public tamper-resistant log Signatures are stored alongside images in OCI registry
  • 37. SBOM: SOFTWARE BILL OF MATERIALS A list of “ingredients” for a software artifact Can be used for: ➔ Vulnerability scanning ➔ Software transparency ➔ License policy ➔ Find abandoned dependencies
  • 38. SBOM FOR CONTAINERS Creating a SBOM for an artifact is a complex problem Dependencies live at different levels: ➔ Operating system (Windows, Debian, Alpine etc…) ➔ Operating system dependencies (RPM, DEB, APK, PKG…) ➔ Application dependencies (Composer, NPM, Rubygems, Pypi, etc…) ➔ Static binaries and their dependencies (Go, Rust etc…)
  • 39. SBOM - Tools $ docker sbom
  • 40. DEMO
  • 41. DruBOM - Drupal Bill of Materials https://www.drupal.org/project/drubom DruBom is an Drupal module for generating a Software Bill of Materials (SBOM) from a Drupal installation. It is still a work in progress, any contribution is welcome: Syft integration, betters scanning and data reporting, more SBOM formats, CI, tests, $you name it
  • 42. Join us for contribution opportunities 17-20 October, 2023 Room 4.1 & 4.2 Mentored Contribution First Time Contributor Workshop General Contribution #DrupalContributions 17 - 20 October: 9:00 - 18:00 Room 4.1 17 October: 17:15 - 18:00 Room 2.4 18 October : 10:30 - 11:15 Room 2.4 20 October : 09:00 - 12:30 Room 4.2 20 October : 09:00 – 18:00 Room 4.2
  • 43. Takeaways ➔ OCI Containers as a single unit of deployment ➔ Digital Signatures with Sigstore and SBOM ➔ DruBOM module - Drupal Bill of Materials ➔ * Automate your dependencies management with Github DependaBot or RenovateBot for all other platforms. ➔ * Add Drupal Security Advisories for Composer to your composer.json
  • 44. What did you think? Please fill in this session survey directly from the Mobile App.