Software supply chain security takes center stage at Black Hat 2022

Black Hat is best known for hardware and traditional software exploits, but this year it showcases more software supply chain security issues—marking the shift in the threat landscape.

Black Hat, the annual gathering of hackers and information security pros in Las Vegas, kicks off next week — the 25th such gathering. It comes after two years of COVID-inspired cancellations and delays. Over the years, Black Hat and its sister conference, DEF CON, have made headlines by showcasing high-profile exploits of hardware and software — from Cisco routers and ATMs to enterprise platforms like Oracle, SQL Server, and Active Directory.

You can find plenty of those talks this year, also. But they will share the stage with a growing number of discussions of cyber threats, vulnerabilities and potential attacks on developers, open source modules and the underlying infrastructure supporting modern DevOps organizations. Together, the talks mark a shift in the threat landscape and the growing prominence of security threats to the software supply chain.

Development teams in the crosshairs

The security of tools and platforms used by DevOps organizations is a clear theme at this year’s Black Hat Briefings, with a number of talks addressing specific threats to source code management systems for both closed- and open source software.

On Wednesday, for example, NCC Group researchers Iain Smart and Viktor Gazdag will present their talk, RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromises. In the talk, the two leverage years of work testing the security of development groups within a range of organizations - from small businesses to Fortune 500 firms.

Describing CI/CD pipelines as the “most dangerous potential attack surface of your software supply chain,” the pair will argue that these development platforms are the crown jewel in any company’s IT infrastructure, providing attackers with a way to turn tools meant to accelerate software development into a malicious "Remote Code Execution-as-a-Service” platform. The pair will also talk about the best approach for defending CI/CD pipelines from attacks and compromises.

Also picking up the theme of “threats to DevOps environments” is the Thursday presentation by researcher Brett Hawkins of IBM X-Force. Brett will dig into the various ways that source code management (SCM) systems like GitHub Enterprise, GitLab Enterprise and Bitbucket might be attacked and compromised.

Hawkins’ talk, Controlling the Source: Abusing Source Code Management Systems, presents research that has uncovered a variety of attack scenarios that can give malicious actors access to SCM systems. He will also release open source tools to facilitate SCM attacks including reconnaissance, manipulation of user roles, repository takeovers, and user impersonation. Hawkins will also provide guidance on how to defend SCM systems from attack.

Open source: risky business

Given the software industry’s heavy reliance on open source software to facilitate development, and the growing prevalence of threats and attacks via open source platforms and code, it is no surprise that open source cyber risk is another central theme at this year’s Black Hat Briefings. Data compiled by the firm Synopsys, for example, found that the average software application in 2021 depended on more than 500 open source libraries and components, up 77% in two years. Attackers have taken notice. As we have noted, there have been numerous software supply chain attacks playing to developers (and development teams) heavy reliance on open source repositories like PyPi and npm.

The agenda at Black Hat picks up on this trend, with talks that explore the risks posed by open source code and propose remedies.

For example, researchers Jonathan Leitschuh, Patrick Way and Shyam Mehta use their talk to tackle a key problem in open source security: how to scale security response to meet the challenge of massive open source platforms like GitHub. While modern tools might allow us to automate vulnerability scanning and identification, the output of such endeavors often overwhelms the mere homo sapiens who are tasked with assessing, triaging and responding to the flood of identified flaws.

Leitschuh, Way and Mehta propose one solution: automated bulk pull request generation, as well as tools such as the Netflix developed OpenRewrite that can help security teams scale their security response. Check out their talk, Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All, on Thursday at 3:20 PM.

And, as companies let AI loose on the vast repository of open source code in the hopes of developing coding bots that might one day replace developers, the presentation In Need of 'Pair' Review: Vulnerable Code Contributions by GitHub Copilot deserves your attention. The work of a group of researchers from NYU and the University of Calgary, the talk analyzes the output of “Copilot,” an 'AI-based Pair Programmer' released by GitHub in 2021.

Copilot leverages a deep learning model trained on open-source GitHub code. But, as the researchers note, much of that code “isn’t great.” And, as Microsoft learned with its AI-based chatbot for Twitter, artificial intelligence is great at absorbing input and teasing out patterns, but terrible at assessing the underlying quality of the information it is being fed.

An analysis of Copilot code revealed a high preponderance of common flaws, among them SQL injection, buffer overflow and use-after-free vulnerabilities. In fact, of 1,689 suggestions generated across 89 different scenarios using the Copilot AI, the researchers found approximately 40% to be vulnerable.

The talk has implications for development organizations that would look to offload low-level coding work to bots, of course. But the high density of flaws in GitHub repositories is also a red flag to organizations that more scrutiny is needed to assess the quality and stability of open source components before dependencies are created, rather than after.

Developers: the elephant in the security living room

The elephant in the living room of DevOps security is, of course, the developer themself. While Source Code Analysis tools can improve security assessments of proprietary and open source code, and vulnerability scans can identify flaws and weaknesses in developed code, the best security “fix” comes in the form of better written, high quality code.

That’s the subject that researcher Adam Shostack tackles in his talk A Fully Trained Jedi, You Are Not, on Wednesday, August 10 at 11:20. Shostack, an expert in threat modeling, secure development and DevOps, talks about the ‘boil the ocean’ problem that many organizations face as they try to train up developers in the intricacies of secure development without sacrificing other priorities, like developing usable code on time and on budget.

In this talk, Shostack talks about how organizations can operationalize security training for developers. The goal is not to produce a staff of “Jedi-quality” secure developers, but to improve the security awareness and skills of the broad population of developers, with a goal of reducing common but still prevalent security issues that plague developed applications.

“A rebellion doesn’t run on a single Jedi,” Shostack notes. To that end, he’ll present the broad outlines of a “knowledge scaffolding and tiered approach to learning” that is scalable across development organizations.