SBOM - HackMD

# SBOM ## The inescapable way of tracking dependencies --- ## Whoami [https://rewanthtammana.com/](https://rewanthtammana.com/) Rewanth Tammana is a security ninja, open-source contributor & full-time freelancer. Previously, Senior Security Architect at Emirates NBD. Passionate about DevSecOps, Application, and Container Security. Added 17,000+ lines of code to Nmap. Holds industry certifications like CKS, CKA, etc. --- ## Whoami [https://twitter.com/rewanthtammana](https://twitter.com/rewanthtammana) Speaker & trainer at international security conferences worldwide including Black Hat, Defcon, Hack In The Box (Dubai and Amsterdam), CRESTCon UK, PHDays, Nullcon, Bsides, CISO Platform, null chapters and multiple others. --- ### What to expect SBOMs - The WHY, WHAT & HOW --- ### The WHY --- ### Recent hacks Borrowing some slides from my Gitex@Dubai presentation --- ### Faker & Color JS Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps ![](https://i.imgur.com/ZGi0jxA.png) [Reference](https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/) --- ### Faker weekly downloads ![Faker-Downloads](https://i.imgur.com/BkrXzT3.png) --- ### Colors weekly downloads ![Colors-Downloads](https://i.imgur.com/W7Q0qLB.png) --- ### Faker dependents ![Faker-Dependents](https://i.imgur.com/MjtBJO9.png) --- ### Colors dependents ![Colors-Dependents](https://i.imgur.com/5TB5Mo2.png) --- #### ssh-decorate python library backdoored to steal SSH creds ![Backdoored-python-library](https://i.imgur.com/aP8pIlW.png =800x450) [Reference](https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/) --- ### Typo-squatting Kind of brandjacking which relies on mistakes such as typos made by Internet users --- #### PyPI Colourama hijacks Clipboard The 'colourama' package is typo-squatting the popular PyPI package 'colorama'.  ![horizontal-diff](https://i.imgur.com/sN8mAXY.png) The malicious package contains a malware dropper that implements a cryptocurrency clipboard hijacker written in VBScript. [Reference](https://bertusk.medium.com/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8) --- #### PyPI Colourama hijacks Clipboard If the script detects anything on the clipboard that resembles a bitcoin address, it replaces it with a bitcoin address under control of the attacker. ![bitcoin-address](https://i.imgur.com/XPbiQHh.png) [Reference](https://bertusk.medium.com/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8) --- ### Log4j ![Log4j-timelines](https://i.imgur.com/auy5BlN.png) Reference: Rezilion --- ### Some hacks in past 2 years ![](https://i.imgur.com/IXBQqHn.png) [Reference](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises) --- ### Want more? ![](https://i.imgur.com/ap9e78P.png) [Reference](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises) --- ### Why supply chain compromises happen? --- ### Why supply chain compromises happen? I truly believe, it's because, an attacker knows your system better than you do! --- ### Log4j patching ![Log4j-patching](https://i.imgur.com/WR77jbr.png) [Reference](https://www.wiz.io/blog/10-days-later-enterprises-halfway-through-patching-log4shell) --- #### Why supply chain compromises happen? As you have seen above, even after 10 days, there were thousands of companies that didn't patch classic critical log4j. Is it because they are negligent? They want to get hacked? Lose reputation? Procastination? No, no, no. --- #### Why supply chain compromises happen? All because they didn't know what to look for! They don't have insights on their assets or criticality categorizations of packages & 3rd party applications in use --- #### SBOM Nginx image SBOM info ![nginx-sbom](https://i.imgur.com/TwXxfnS.png) --- ### The WHAT --- ### The WHAT What's the delicious chocochip cookie made of? ![](https://i.imgur.com/1SOR2Gr.png =400x250) [Reference](https://in.pinterest.com/pin/762726886875438312/) List of all ingrediants, their source with quantity info --- ### The WHAT SBOM is similar to above. It gives information of everything that was involved in building a software - the source, version, license, etc. --- ### The HOW --- #### Tools Several ways to generate SBOMs - trivy, syft, etc ``` trivy i node ``` ![](https://i.imgur.com/sRqLPdc.png) --- #### Use case For ex, we want to identify the list of all licenses involved with a nodejs docker image. ``` trivy i node@sha256:403be0c31e52715b3496f7d5a2b40518402aaa09b82f52aa721ce34564990eed --format spdx-json --security-checks vuln | jq -r '.packages[].licenseDeclared' | sort | uniq | wc -l ``` 131 types of licenses 🚀 More here, https://rewanthtammana.com/sigstore-the-easy-way/sbom/ --- ### Visualizing the information GUAC - Graph for Understanding Artifact Composition https://github.com/guacsec/guac --- ![](https://i.imgur.com/g2OxHWf.png) --- ![](https://i.imgur.com/ydV5lIv.jpg) --- #### Securing artifacts It's good to have these SBOMs but equally important to secure them. More about it in the guide I created, https://rewanthtammana.com/sigstore-the-easy-way/ ![](https://i.imgur.com/LgatWo5.png) --- #### NSA on SBOMs [NSA - Securing supply chain guide](https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF) --- #### My thoughts Supply chain security is open source security! Most of the open source code used by people isn't updated - Unknown --- ### Social media Website: [rewanthtammana.com](rewanthtammana.com) Twitter: [@rewanthtammana](https://twitter.com/rewanthtammana) LinkedIn: [/in/rewanthtammana](https://linkedin.com/in/rewanthtammana)