Update the threat paper with additional threats/commentaries

[scovetta]

Some sources:

• Dependency Confusion
• https://daniel.haxx.se/blog/2021/03/30/howto-backdoor-curl/

[scovetta]

• Protestware
• What new threats have been sparked over the past two years?
• What projects (e.g. SLSA, sigstore, S2C2F, A-O, Package Analysis, etc.) have come about that address some of the risks identified?
• Do we feel we've struck the right balance between pointing out risks but not being overly alarmist?

[scovetta]

Suggestion from EdOverflow on Slack:

The "Account Hijacking" threat could include publisher email domains expiring: https://thehackerblog.com/zero-days-without-incident-compromising-angular-via-expired-npm-publisher-email-domains-7kZplW4x/ & https://arxiv.org/pdf/2112.10165.pdf.

[jstclair2019]

hey, Michael sorry - is there a link to the original paper?
Without having reviewed it, I'd be happy to contribute - I think we want to take a look at however it's organized around "people. process, technology" too. There seems to be more noise as of late about OS licensing problems, as an example.

[luigigubello]

MFA Fatigue Attack

• The Uber Hack’s Devastation Is Just Starting to Reveal Itself (Wired)
• Suspected Russian Activity Targeting Government and Business Entities Around the Globe (Mandiant)

[luigigubello]

Credential stuffing attacks on package index platforms

• PyPI Dictionary Attack (PyPI)

[luigigubello]

Do we feel we've struck the right balance between pointing out risks but not being overly alarmist?

According to Sonatype and ENISA data, we have - probably - identified correct risks in the open-source supply chain, but without spreading awareness to mitigate the impact.

"And according to Mandiant supply chain compromises were the second most prevalent initial infection vector identified in 2021. Furthermore, they also account for 17% of the intrusions in 2021 compared to less than 1% in 2020." (Enisa)

Even if OpenSSF is trying to build and spread a set of tools, standards, specifications, and best practices, their adoption is not enough widespread, yet. My2c :)

[luigigubello]

@jstclair2019 In MD format: Threats, Risks, and Mitigations in the Open Source Ecosystem.md

[jstclair2019]

Perfect @luigigubello Thank you! I'm digging into the PDF ATM.

[scovetta]

Think about including AI/ML -specific threats as they relate to the rest of the topics.

[luigigubello]

So:

• Protestware
• Missing recommendations for handling this scenario
• Dependency confusion
• Missing recommendations for handling this scenario
• Account hijacking
• Added point related to risks for expired domains
• I can add a short point also for credentials stuffing attacks (I would like to discuss during the WG meeting)
• MFA Fatigue
• Probably not important in open-source ecosystem but I have added a point in Account Hijacking session

Next step:

• Write recommendations, if we have, and be sure that recommendations are good
  • In the first version, we wrote recommendations especially for third-party services (e.g. package managers), should we write more recommendations also for developers?
• Write a section/chapter for tools (2021 -2023) to improve OSS supply chain security (SLSA, sigstore, S2C2F, A-O, Package Analysis, etc.)

Document: https://docs.google.com/document/d/1XAaAYhR9vBn8rJVlp_3L4uIp_vW1MPuy/edit?usp=sharing&ouid=116117777947424173000&rtpof=true&sd=true

[edelsohn]

Does the list of threats include all of the threats mentioned in the SBOMit presentation especially the diagram on page 5?

The VCS to source code artifact to build system path is particularly opaque and narrow. Did the bits from the VCS content truly arrive at the build system unchanged? Does the signature of the contents in the VCS truly correspond to the signature of the contents in the VCS or adjusted to match the potentially modified contents that will be downloaded?

[luigigubello]

@edelsohn sorry for my slow response 🙌 I try to reply your questions :) the document "Threats, Risks, and Mitigations in the Open Source Ecosystem" tries to cover as many scenarios as possible in all the steps required to deliver an open-source project. The steps (see this chart) covered by the doc seem to be more or less the same of slide #4 in SBOMit presentation.

Even if this document (v1.1) is not focused only on one specific solution (e.g. SBOM), I think various threats and risks - related to slide #5 of the SBOMit presentation - are described in the section "Package Consumption Phase", and in the updated version (v1.2), we have introduced new threat models (e.g. dependency confusion attack). We have also introduced a new section "Healthy and Integrity Checks" where we suggest some open-source tools, specifications, and standards to streghten the integrity checks. Where a specific check can happen depends on the project's infrastructure and procedures, so in the document - in some particular security topics (e.g. DevSecOps) - we link to external sources. If you think we should focus more on some specific threat models and go deeper, feel free to suggest some examples and I will try to write a new section or integrate an existing one :)