{"id":287456,"date":"2021-06-30T15:00:41","date_gmt":"2021-06-30T12:00:41","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it\/"},"modified":"2021-06-30T15:00:41","modified_gmt":"2021-06-30T12:00:41","slug":"how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it\/","title":{"rendered":"#How to Mitigate Supply Chain Attacks With Preflight \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a261dc3839a1\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a261dc3839a1\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it\/#File_Checksums\" >File Checksums<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it\/#Using_Preflight\" >Using Preflight<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it\/#Programmatic_Checks\" >Programmatic Checks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it\/#Creating_Hashes_With_Preflight\" >Creating Hashes With Preflight<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it\/#Adding_Malware_Scans\" >Adding Malware Scans<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it\/#What_About_Other_Kinds_of_Dependency\" >What About Other Kinds of Dependency?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-mitigate-supply-chain-attacks-with-preflight-cloudsavvy-it\/#Summary\" >Summary<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Mitigate Supply Chain Attacks With Preflight \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 2052px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage wp-image-12353 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/61ab32e1.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"hands typing on laptop\" width=\"2052\" height=\"1176\" src=\"https:\/\/www.shutterstock.com\/image-photo\/double-exposure-woman-hands-working-on-1723672675\" data-credittext=\"Peshkova\/Shutterstock.com\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/double-exposure-woman-hands-working-on-1723672675\">Peshkova\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>The risks of supply chain attacks have gained visibility lately in the wake of the SolarWinds and Codecov hacks. Attackers compromise upstream code providers to sneak malicious sources into software products.<\/p>\n<p>Many applications <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a> external dependencies during their build routines. Using those downloads as-is can be dangerous. How do you know the file on the server hasn\u2019t been replaced with a malicious version?<\/p>\n<pre><code>curl https:\/\/example.com\/install-script.sh | sh<\/code><\/pre>\n<p>This command illustrates the simplest of supply chain attacks. Piping an install script into your shell is convenient but risky. If <code>example.com<\/code> has been compromised, you\u2019ve just given an attacker unfettered access to your system.<\/p>\n<h2 id=\"file-checksums\"><span class=\"ez-toc-section\" id=\"File_Checksums\"><\/span>File Checksums<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can mitigate the dangers of this approach by checking if the downloaded file matches a known checksum. Many reputable open-source projects will publish a checksum that you can compare against. Only run the file if its calculated checksum matches your known value.<\/p>\n<p>Implementing this check into your build scripts can quickly get repetitive. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/SpectralOps\/preflight\">Preflight<\/a> is a tool that helps you perform checksum comparisons so you can avoid common supply chain attacks.<\/p>\n<p>Preflight accepts a binary\u2019s path and a checksum to compare it against. If the file\u2019s checksum matches, it\u2019ll be executed as normal. Otherwise, the command is aborted, guarding your build script or CI pipeline against unintended malicious code inclusion.<\/p>\n<h2 id=\"using-preflight\"><span class=\"ez-toc-section\" id=\"Using_Preflight\"><\/span>Using Preflight<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can download Preflight from its <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/SpectralOps\/preflight\/releases\">GitHub releases<\/a> page. The tool\u2019s also distributed as <code>preflight<\/code> in the Homebrew package manager.<\/p>\n<p>At its simplest, Preflight can be used anywhere you\u2019d normally reach for <code>| sh<\/code>. Pipe another command into Preflight, supplying a checksum to match before anything is executed.<\/p>\n<pre><code>curl https:\/\/example.com\/install-script.sh | preflight run sha256=abc...123<\/code><\/pre>\n<p>Now the install script will only be executed if it matches the known checksum. This gives you confidence that the file\u2019s content hasn\u2019t been tampered with. Preflight supports the <code>sha256<\/code>, <code>sha1<\/code> and <code>md5<\/code> hash types.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12002\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/165d9aa7.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"965\" height=\"540\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You should hardcode known checksums into your build scripts. <em>Don\u2019t<\/em> download a checksum file provided by the same server as the target file. Assume an attacker with the ability to modify the script has also uploaded a bogus checksum file.<\/p>\n<h2 id=\"programmatic-checks\"><span class=\"ez-toc-section\" id=\"Programmatic_Checks\"><\/span>Programmatic Checks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Sometimes you might want to take an action depending on whether a file successfully matches its checksum. In this case, you can use <code>preflight check<\/code> to perform the comparison without actually executing the file.<\/p>\n<pre><code>curl https:\/\/example.com\/install-script.sh | preflight check sha256=abc...123<\/code><\/pre>\n<p>The command will exit with status code <code>0<\/code> if the file\u2019s checksum matches. A status code of <code>1<\/code> will be issued when there\u2019s a discrepancy. Preflight will also emit an error message to the standard output stream.<\/p>\n<h2 id=\"creating-hashes-with-preflight\"><span class=\"ez-toc-section\" id=\"Creating_Hashes_With_Preflight\"><\/span>Creating Hashes With Preflight<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Not all software projects publish hashes for their releases. Preflight has built-in support for generating a new hash if you need one for a dependency.<\/p>\n<p>Download the file from the vendor\u2019s website. Then pass it into <code>preflight create<\/code> to get the hash of the file\u2019s contents.<\/p>\n<pre><code>wget https:\/\/example.com\/install-script.sh&#13;\npreflight create install-script.sh<\/code><\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12005\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/1a444294.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"965\" height=\"148\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><br \/>A SHA256 hash is generated by default. You can switch to SHA1 or MD5 by adding the <code>--digest<\/code> flag to the command.<\/p>\n<h2 id=\"adding-malware-scans\"><span class=\"ez-toc-section\" id=\"Adding_Malware_Scans\"><\/span>Adding Malware Scans<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Beyond basic checksum comparisons, Preflight supports optional malware scanning. This feature scans your file against known malware signatures.<\/p>\n<p>Malware lists are provided by third-party services. Preflight works with any text file containing a list of known malware checksums. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.malshare.com\/daily\/malshare.current.sha256.txt\">Malshare<\/a> is one provider of these lists.<\/p>\n<p>Set the <code>PF_FILE_LOOKUP<\/code> environment variable to point to your file\u2019s location. Preflight will detect this variable and enable malware look-ups. When you run <code>preflight check<\/code> or <code>preflight run<\/code>, the target file\u2019s checksum will be compared against the entries in the malware list. The check will fail if there\u2019s a match.<\/p>\n<h2 id=\"what-about-other-kinds-of-dependency\"><span class=\"ez-toc-section\" id=\"What_About_Other_Kinds_of_Dependency\"><\/span>What About Other Kinds of Dependency?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Preflight focuses on checks of static files. It\u2019s best suited to pre-built binary downloads which you acquire directly from the vendor.<\/p>\n<p>It\u2019s less realistic to use Preflight with dependencies acquired via package managers. Risks arising from software installed via npm, Composer, NuGet, or Maven will need to be handled in a different way. You can use package manager features such as <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.blog\/2021-02-12-avoiding-npm-substitution-attacks\">vendor scoping<\/a> to ensure dependencies get installed from trusted repositories.<\/p>\n<p>Preflight should be one component in your defense against supply chain injections. Analyze your build scripts to identify intrusion vectors provided by other forms of third-party software.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Supply chain attacks are a growing problem that affects the security of software deployments. Many developers incorporate direct software downloads into their build scripts. This could give attackers a way to include code in a target project, by compromising an upstream vendor.<\/p>\n<p>Preflight simplifies security checks of third-party scripts and binaries. There is a certain irony though: by using Preflight, you become reliant on a third-party package that you will need to download. You <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/SpectralOps\/preflight#gift-getting-preflight\">can mitigate this<\/a> by building Preflight from source yourself and hosting the binary on an internal server that you trust.\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/11992\/how-to-mitigate-supply-chain-attacks-with-preflight\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Mitigate Supply Chain Attacks With Preflight \u2013 CloudSavvy IT&#8221; Peshkova\/Shutterstock.com The risks of supply chain attacks have gained visibility lately in the wake of the SolarWinds and Codecov hacks. Attackers compromise upstream code providers to sneak malicious sources into software products. Many applications download external dependencies during their build routines. Using those downloads&#8230;<\/p>\n","protected":false},"author":1,"featured_media":287457,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/61ab32e1.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-287456","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/287456","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=287456"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/287456\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/287457"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=287456"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=287456"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=287456"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}