Background Overview
As the Web3 industry continues to evolve, there is growing focus on supply chain security from both the industry itself and the global community. In modern software development, reliance on diverse third-party components and external services has made software supply chains increasingly intricate and expansive. This complexity presents malicious actors with more opportunities to manipulate and infiltrate software supply chains, thereby posing significant threats to enterprise and user data and assets.
Recent incidents have highlighted the potential for severe consequences arising from supply chain security vulnerabilities. Malware and malicious code can be inserted at various stages of the software supply chain, including development tools, third-party libraries, cloud services, and update processes. Once these malicious elements are successfully introduced, attackers can exploit them to pilfer cryptocurrency assets and sensitive user information, disrupt system functionality, extort enterprises, or propagate malware on a large scale.
Example
On December 21, 2022, Ankr published a post-incident report disclosing the findings of an investigation into a $5 million breach resulting from a vulnerability in the aBNBc token. The breach was orchestrated by ex-members of the Ankr team who conducted a supply chain attack by injecting malicious code packages. Each time the project team carried out a legitimate update, these code packages had the potential to compromise Ankr’s private keys. Ankr actively collaborating with law enforcement authorities to press charges against the former team member involved and ensure the hacker faces legal consequences.
Supply Chain Security:
Due to the reasons mentioned above, the SlowMist security team proposes security recommendations for the five key aspects of supply chain security: source code security, build security, transmission security, artifact security, and deployment security. It is crucial to enhance these aspects by focusing on input/output verification, automated operational processes, authorized control in controlled environments, and security certification of personnel and systems.
Source Code Security
1. Code Management
Use code version management solutions like GitHub or GitLab to efficiently manage project code and quickly identify the role responsible for committing code in cases of code backdoors.
2. Code Commitment
Ensure the integrity of code commits, submit code that has undergone security checks, and avoid introducing unexpected code during the submission process (such as vulnerable or backdoor code). Use features like GitHub’s signing commits or similar features like GitLab’s GPG signed commits to ensure the integrity of committed code. Use trusted role accounts for signature verification during code merging with commands like `git merge -S — verify-signatures`.
3. Code Scanning
Alongside code management, conduct security scans on the code. Tools like SonarQube or Snyk Code can be used for static code scanning. Ensure that the committed code does not contain files with credentials, sensitive APIs, authentication keys, etc. Developers can use tools like TruffleHog or GitHub’s secret-scanning to scan submitted data for security vulnerabilities, sensitive information (such as mnemonic phrases or private key information), and more.
4. CI/CD
Implementing CI/CD helps development teams automate the build, testing, and deployment processes, reducing manual operations during integration and project delivery. By adhering to CI/CD, the build, testing, and deployment operations can follow predefined processes, and it also helps in consolidating access privileges for related IT assets like servers. CI/CD can be implemented using solutions like CircleCi and GitHub Actions.
5. Material Security
Material security refers to conducting initial security assessments of third-party services, components, and dependencies being integrated, ensuring controlled risk management. The evaluation should consider the following factors:
- Reliability of the provider: Generally, components from reputable manufacturers are considered reliable, but even components from such manufacturers may have disclosed security vulnerabilities. Therefore, the evaluation should also consider the frequency of vulnerabilities in the component/service history.
- Open-source availability: Non-open-source dependencies may introduce backdoors, so it is recommended to prioritize well-known and open-source libraries.
- Verifiability of artifacts: When using third-party programs, verify them using checksums.=
- Comprehensive integration solutions: When using third-party services, components, or dependencies, ensure there are comprehensive integration solutions that list potential security risks and provide security requirement analysis, considering the impact on projects in the event of abnormalities or compromise of third-party services, components, or dependencies.
Material security should be monitored to ensure that third-party services, components, and dependencies are under controlled risk. This can be achieved through management measures, technical measures, and threat intelligence:
- Management measures: Implement relevant baselines and processes following the OWASP SCVS standard.
- Technical measures: Security personnel can use tools like Dependency Track, Snyk, Murphysec, etc., to monitor materials. Developers can integrate tools like Dependency Check and Snyk’s open-source security management into their development tools or processes to assist in identifying security issues related to third-party dependencies.
- Threat intelligence: Utilize vulnerability intelligence platforms like security.snyk.io and Vuldb to promptly address affected projects through upgrades or fixes.
Build Security
Most development teams manually build project programs or Docker images, introducing several security risks:
- Building programs or Docker images on developers’ local computers, making it challenging to ensure the security of local materials.
- Manual construction of programs or Docker images, increasing the risk of unintentional code introduction.
- Reliance on manual procedures during program or Docker image construction, even with strict security processes, making it difficult to ensure that build personnel consistently adhere to the security processes.
- Lack of control over the security management of the build personnel’s local environment.
Implementing an automated build platform on servers facilitates secure management of the build process. The platform takes control, ensuring adherence to predefined processes and rules. By establishing and managing access privileges to the platform, each build process can be guaranteed to meet the desired standards.
When it comes to compiling and building applications or Docker images, Jenkins is widely utilized for automated builds. It is essential to configure automation platforms like Jenkins in accordance with official security recommendations. In addition to controlling platform account access, reinforcing login authentication with SSO or MFA, and restricting network access at the network level (permitting access solely through the company’s VPN), further strengthens security measures.
By deploying an automated build platform, programs or Docker images are automatically constructed in alignment with the processes and rules defined by management. This minimizes the risk of human error deviating from the established procedures and mitigates the possibility of introducing unexpected code through manual builds. The automated build platform can seamlessly integrate with code management and code scanning tools. For instance, employing solutions like jenkins-pipeline-with-sonarqube-and-gitlab enables automation and streamlined management of code submission, scanning, and deployment operations.
Transmission Security
During the code management and automated build processes, it is essential to adhere to the principle of least privilege and minimize network access. Assign minimal permissions to individuals based on their respective work responsibilities. Restrict network access by implementing IP whitelisting and VPN. After the build process, ensure the secure transfer of artifacts to artifact repositories by utilizing authentication and secure communication methods for effective management.
Repository Security
Repository denote stable release versions of programs. During the build process, the program’s digest includes hashes and signature information. It is crucial to verify the signatures or hash digests whenever repository are utilized. Tools such as Cosign or Notary can be employed for artifact signing and verification. It is recommended to utilize artifact management platforms like Nexus Repository Manager and Harbor and adhere to the principles of least privilege and minimal network access. Control over login and access privileges can be achieved through solutions like Nexus Repository Manager SSO and Harbor SSO, coupled with the implementation of MFA and VPN for added security.
Deployment Security
Deployment involves initial deployment and update deployment. Before the initial deployment, ensure that the servers intended for deployment undergo basic security hardening, including:
- Ensuring servers are newly opened and initialized. For cloud servers, proper permission allocation within the cloud platform and enabling MFA are essential.
- Only opening necessary ports on servers, enforcing IP whitelisting and MFA restrictions for SSH access.
- Installing HIDS or XDR on servers.
- Enabling logging on servers, and utilizing tools like CrowdStrike Falcon LogScale or Splunk for log collection.
- Enabling domain name privacy protection, registering and adding CDNs to avoid exposing the real IP address.
For project deployment, it is advisable to use automated deployment methods like Jenkins automated deployment to avoid mismanagement of server login permissions caused by manual deployment.
Update deployment includes updates to server-side and client-side programs. The update process can be standardized by referring to the scheme provided by theupdateframework.
Summary
Supply chain security holds significant importance in the progress of Web3. Despite the numerous advantages brought forth by the decentralized nature of Web3, it also introduces fresh hurdles in terms of supply chain security. The objective of the SlowMist security team is to furnish project teams within the Web3 industry with security recommendations via the “The Guide to Supply Chain Security in the Web3 Industry.” This initiative aims to foster a robust, secure, and steady development environment for the Web3 industry.