Missing concept: supply chain security

OWASP / www-project-proactive-controls

OWASP Foundation Web Respository

109 stars 57 forks source link

Missing concept: supply chain security #36

Open naugtur opened 2 months ago

naugtur commented 2 months ago

Modern web development is most commonly done by composing an application from open-source dependencies.

I suppose most of the supply chain mitigations are not proactive and that's why they're not here yet, but a proactive approach to supply-chain security is possible and emerging.

Some aspects of Content-Security-Policy are relevant to this. Similarly, Node.js and Deno offer means to limit access to powerful APIs on the process level in case malicious code gets pulled into an app from dependencies.

Using tools that inject themselves early in the process and often don't rely on known vulnerability databases (eg. socket.dev)

Even more proactively, runtime protections can be introduced - see LavaMoat Introduction to the concepts: https://www.w3.org/2023/03/secure-the-web-forward/talks/hardened-supply-chain.html

I'd be interested to contribute to this site if some guidance is provided.

RichardoC commented 2 months ago

This sounds like it fits well with https://github.com/OWASP/www-project-proactive-controls/blob/master/v4/en/c6-use-secure-dependencies.md and maybe just needs added there?

naugtur commented 2 months ago

Happy to contribute there. Is the target audience or any sort of policy on what can be included in recommendations written down somewhere?

how language/technology specific can I be? Since it's a web-specific doc, I suppose practices/tools targeting JavaScript are ok.
what's the policy on pointing to specific free open-source tools?
what's the policy on recommending commercial tools?
I see effort was put into making the document short. I guess I should follow that too.

I'd like to contribute a section focusing on defending against malware in supply chain. It's not strictly about keeping your components/dependencies secure but staying secure in the face of threats from 3rdparty components. I still think it could fit into the doc you suggested, but may require a new section.

Thoughts?

andreashappe commented 2 months ago

Hi @naugtur ,

regarding target audience: yes, this is web-centric so typical web languages would be preferred. Mentioning OSS tools is also preferred, we have a "Tools" Section that is well suited for that. I am not against mentioning commercial tools, but the document should not be used as means of advertisement (so always mention OSS tools if feasible IMHO).

In the controls we have a "Description" (generic) and "Implementation" (more about what to do) section, the line between them is currently blurry. Feel free to add a new "### section" to either (or both) of them with your topic.

cheers, Andreas