COMP3006: Secure Software Development
Week 3: Secure Software Supply Chain
Dr. Yusuf Kürşat Tuncel
Konya Food and Agriculture University
Spring 2024-2025
1 / 31
�Agenda
1 Introduction to Software Supply Chain
2 Basics of Reusing Software
3 Selecting and Evaluating Open Source Software
4 Downloading and Installing Reusable Software
5 Updating Components and Interfaces
6 Supply Chain Security
7 OWASP and Supply Chain
8 Practical Exercise
9 Summary and Preview
2 / 31
�What is a Software Supply Chain?
All components, tools, and processes in software development
Includes: Code, libraries, dependencies, build tools
Goal: Deliver functional, secure software
Risk: Each link is a potential attack vector
3 / 31
�Why It Matters
80% of codebases use open-source components (Synopsys 2023)
Supply chain attacks up 650% (Sonatype 2022)
Example: SolarWinds attack (2020) - compromised build process
Focus: Secure reuse, not just secure coding
4 / 31
�Reusing Software: Pros and Cons
Pros:
Faster development
Proven functionality
Community support
Cons:
Hidden vulnerabilities
Dependency sprawl
Maintenance burden
5 / 31
�Types of Reusable Software
Open Source Software (OSS): e.g., Apache, Linux
Third-Party Libraries: e.g., Log4j, OpenSSL
Commercial Off-The-Shelf (COTS): e.g., database engines
Internal Components: Reused across projects
6 / 31
�Dependency Example
Application
Library A
Library B Vulnerable Dep
Figure: Dependency Chain
7 / 31
�Choosing OSS
Popularity: Active community, frequent updates
Security History: Known vulnerabilities (CVEs)
License: Compatibility with project (e.g., MIT, GPL)
Maintenance: Recent commits, issue responses
8 / 31
�Evaluation Criteria
Check GitHub stats: Stars, forks, last update
Review CVE database: e.g., NIST NVD
Audit code: Static analysis tools (e.g., SonarQube)
Example: Avoid unmaintained projects
9 / 31
� Example: Evaluating a Library
1 # Check last update and issues
2 git clone https :// github . com / example / repo . git
3 cd repo
4 git log -1 # Last commit date
5 gh issue list # Open issues ( GitHub CLI )
6
7 # Scan for vulnerabilities
8 npm install -g snyk
9 snyk test # For Node . js projects
10 / 31
�Case Study: Log4Shell
CVE-2021-44228: Log4j vulnerability (2021)
Cause: Unchecked JNDI lookup
Impact: Remote code execution, millions affected
Lesson: Vet dependencies thoroughly
11 / 31
�Secure Download Practices
Use official sources: e.g., PyPI, npm registry
Verify integrity: Checksums (SHA256, MD5)
Avoid untrusted mirrors or third-party sites
Example: Malware in fake Python packages
12 / 31
� Verifying Integrity
1 # Download and verify a package
2 wget https :// example . com / package . tar . gz
3 wget https :// example . com / package . tar . gz . sha256
4
5 # Check hash
6 sha256sum -c package . tar . gz . sha256
7 # Expected output : package . tar . gz : OK
13 / 31
�Installation Best Practices
Use package managers: npm, pip, apt
Isolate environments: Docker, virtualenv
Limit permissions: Install as non-root
Audit post-install: Check for unexpected changes
14 / 31
�Real-World Example
2018 Event-Stream Attack
Cause: Malicious npm package update
Impact: Stole Bitcoin wallet keys
Fix: Verify package authenticity
15 / 31
�Why Update?
Patch vulnerabilities
Maintain compatibility
Improve performance
Risk: Breaking changes or new bugs
16 / 31
�Update Strategies
Semantic Versioning (SemVer): Major.Minor.Patch
Automated updates: Dependabot, Renovate
Test updates: CI/CD pipelines
Monitor CVEs: Subscribe to security alerts
17 / 31
� Example: Updating a Dependency
1 // package . json
2 {
3 " dependencies ": {
4 " lodash ": "^4.17.20" // Vulnerable version
5 }
6 }
7
8 // Update to latest
9 npm install lodash@latest
10 npm audit fix # Fix known issues
18 / 31
�Challenges in Updating
Dependency conflicts
Deprecated APIs
Example: Heartbleed (OpenSSL) - delayed updates
Solution: Regular, incremental updates
19 / 31
�What is Supply Chain Security?
Protecting all stages: Code, build, deploy
Threats: Injection, tampering, impersonation
Goal: Trustworthy software delivery
20 / 31
�Common Attack Vectors
Compromised dependencies
Build tool exploits
Malicious updates
Example: SolarWinds - backdoor in update
21 / 31
�Mitigation Techniques
Software Bill of Materials (SBOM): Track components
Code signing: Verify authenticity
Secure CI/CD: Lock down pipelines
Regular audits: Dependency scanning
22 / 31
�SBOM Example
Lists all components and versions
Tools: CycloneDX, SPDX
Sample SBOM Snippet
Component: OpenSSL, Version: 1.1.1, License: Apache-2.0
23 / 31
� Secure CI/CD Example
1 # GitHub Actions workflow
2 name : Build
3 on : [ push ]
4 jobs :
5 build :
6 runs - on : ubuntu - latest
7 steps :
8 - uses : actions / checkout@v3
9 - run : npm ci # Locked dependencies
10 - run : npm audit -- production
11 permissions :
12 contents : read # Least privilege
24 / 31
�Real-World Mitigation
2021 Codecov Attack
Cause: Bash uploader tampered
Impact: Exposed secrets
Fix: Signed artifacts, restricted access
25 / 31
�OWASP Guidance
OWASP Top 10: A06 - Vulnerable Components
Recommendations:
Identify all dependencies
Remove unused components
Monitor vulnerabilities
Tool: OWASP Dependency-Check
26 / 31
� Dependency-Check Example
1 # Run OWASP Dependency - Check
2 dependency - check . sh -- scan ./ project \
3 -- format HTML -- out report . html
4 # Output : Lists CVEs in dependencies
27 / 31
�Exercise: Secure Your Supply Chain
Task: Audit a sample project’s dependencies
Steps:
List components (SBOM)
Check for vulnerabilities
Propose mitigations
Tools: npm audit, Snyk, or manual review
Time: 15 minutes, discuss results
28 / 31
�Summary
Supply chain security is critical in modern development
Evaluate, download, and update components securely
Mitigate risks with SBOM, signing, and audits
OWASP provides actionable guidance
29 / 31
�Next Week Preview
Topic: Input Validation and Processing
Focus:
Validating untrusted input
Preventing injection attacks
Reading: Chapter 3 of ”Software Security”
30 / 31
�Questions?
Contact: [email protected]
Office Hours: Wednesdays, 14:00-16:00
Resources: Course page
31 / 31
