Open scovetta opened 3 years ago
Suggestion from EdOverflow on Slack:
The "Account Hijacking" threat could include publisher email domains expiring: https://thehackerblog.com/zero-days-without-incident-compromising-angular-via-expired-npm-publisher-email-domains-7kZplW4x/ & https://arxiv.org/pdf/2112.10165.pdf.
hey, Michael sorry - is there a link to the original paper? Without having reviewed it, I'd be happy to contribute - I think we want to take a look at however it's organized around "people. process, technology" too. There seems to be more noise as of late about OS licensing problems, as an example.
MFA Fatigue Attack
Credential stuffing attacks on package index platforms
Do we feel we've struck the right balance between pointing out risks but not being overly alarmist?
According to Sonatype and ENISA data, we have - probably - identified correct risks in the open-source supply chain, but without spreading awareness to mitigate the impact.
"And according to Mandiant supply chain compromises were the second most prevalent initial infection vector identified in 2021. Furthermore, they also account for 17% of the intrusions in 2021 compared to less than 1% in 2020." (Enisa)
Even if OpenSSF is trying to build and spread a set of tools, standards, specifications, and best practices, their adoption is not enough widespread, yet. My2c :)
@jstclair2019 In MD format: Threats, Risks, and Mitigations in the Open Source Ecosystem.md
Perfect @luigigubello Thank you! I'm digging into the PDF ATM.
Think about including AI/ML -specific threats as they relate to the rest of the topics.
So:
Next step:
Does the list of threats include all of the threats mentioned in the SBOMit presentation especially the diagram on page 5?
The VCS to source code artifact to build system path is particularly opaque and narrow. Did the bits from the VCS content truly arrive at the build system unchanged? Does the signature of the contents in the VCS truly correspond to the signature of the contents in the VCS or adjusted to match the potentially modified contents that will be downloaded?
@edelsohn sorry for my slow response 🙌 I try to reply your questions :) the document "Threats, Risks, and Mitigations in the Open Source Ecosystem" tries to cover as many scenarios as possible in all the steps required to deliver an open-source project. The steps (see this chart) covered by the doc seem to be more or less the same of slide #4 in SBOMit presentation.
Even if this document (v1.1) is not focused only on one specific solution (e.g. SBOM), I think various threats and risks - related to slide #5 of the SBOMit presentation - are described in the section "Package Consumption Phase", and in the updated version (v1.2), we have introduced new threat models (e.g. dependency confusion attack). We have also introduced a new section "Healthy and Integrity Checks" where we suggest some open-source tools, specifications, and standards to streghten the integrity checks. Where a specific check can happen depends on the project's infrastructure and procedures, so in the document - in some particular security topics (e.g. DevSecOps) - we link to external sources. If you think we should focus more on some specific threat models and go deeper, feel free to suggest some examples and I will try to write a new section or integrate an existing one :)
Some sources: