Episode #2022-07

Posted on Jun 3, 2022

ProjectZero SLSA go supply-chain

Filippo Valsorda discussed how Go ecosystem mitigates the software supply chain risk. ¹

Google publish a prototype for mitigating supply chain attacks for Go, and have a collaboration with Github. ²

Project Zero published a year-in-review for zero days. Year 2021 is a record year due to more detection, and disclousre. Techniques used were mostly the old and known ones. ³

The AWS patches on Log4Sehll created another vulnerablity. ⁴

Cloudflare shared the findings from security researchers at Assetnotes. ⁵

Footnotes

1. How Go Mitigates Supply Chain Attacks - The Go Programming Language (go.dev)

See also:

Module Mirror and Checksum Database Launched - The Go Programming Language (go.dev)

✂️ A little copying is better than a little dependency. - YouTube (www.youtube.com)

research!rsc: What NPM Should Do Today To Stop A New Colors Attack Tomorrow (research.swtch.com)

2. Google Online Security Blog: Improving software supply chain security with tamper-proof builds (security.googleblog.com)

See also:

Achieving SLSA 3 Compliance with GitHub Actions and Sigstore for Go modules | The GitHub Blog (github.blog)

3. Project Zero: The More You Know, The More You Know You Don’t Know (googleprojectzero.blogspot.com)

See also:

Root Cause Analyses | 0-days In-the-Wild (googleprojectzero.github.io)

0day "In the Wild" - Google Sheets (docs.google.com)

4. AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation (unit42.paloaltonetworks.com)

5. The Cloudflare Bug Bounty program and Cloudflare Pages (blog.cloudflare.com)

See also:

Cloudflare Pages, part 3: The return of the secrets – Assetnote (blog.assetnote.io)

Cloudflare Pages, part 2: The two privescs – Assetnote (blog.assetnote.io)

Cloudflare Pages, part 1: The fellowship of the secret – Assetnote (blog.assetnote.io)