Preflight Defends Against Supply Chain Attacks with Single Line of Code

Spectral, a cybersecurity company that prides itself on being “developer first,” has released Preflight, an open source tool to help prevent a chain of supply attacks. While these attacks can take different forms, such as the widely publicized Solar Winds hack, they are broadly categorized as attacks wherein access is gained via a third party that has access to a target’s system and data.
For Preflight, the specific type of attack defended against is exemplified by the Codecov incident from earlier this year, where a tool used by Codecov was surreptitiously replaced, modifying a key piece of the code that then altered where information was being reported to. The breach wasn’t noticed until a security-conscious user checked the Secure Hash Algorithm 1 (SHA-1) checksum for the Github version of the tool, comparing it with the one they downloaded from Codecov, and noticing that the two were different.
Dotan Nahum, CEO and co-founder of Spectral, likened the situation with Codecov to a home cook who mindlessly follows the same recipe again and again, without ever paying attention to any of the ingredients, until one time they put in something harmful, without ever realizing it.
“If you’ve been following this recipe for a long while now, and someone switches it and you don’t know better and you just proceed to make another pancake, then obviously you’re going to end up with something really bad. And in essence, that’s what happened with Codecov,” said Nahum. “It’s a bad practice that everyone is doing all over the web right now. It’s actually a bad practice, but it’s mis-considered as a good practice. In fact, this pain was dormant and existed for a very long time, and now I imagine everyone is waking up to the fact that we need to change this.”
According to Nahum, Codecov’s response was inadequate, in that the company suggests that users take two precautions moving forward. “They basically say, before you run our script in the future, eyeball it, make sure it’s good, and then verify it. Now, these two instructions are super amorphic, right? What does it mean to verify it? If I’m a developer that doesn’t have a sense of security, I just want to get things done. I don’t know what it means to verify.”
Preflight, he said, was created to step in and handle this part of the process, ensuring that this type of hack would not be possible moving forward. Preflight can be inserted into a continuous integration (CI) process to automatically verify third-party executables by performing a checksum to ensure that the application is indeed the one they are intending to run and not something else. In addition, Preflight works with antimalware sites to ensure that, even if it is the correct application, it does not contain malware.
At the same time, Nahum acknowledges that there is a bit of a conundrum in suggesting downloading a third-party tool to ensure that third-party tools are not the source of a security breach.
“There’s a little bit of chicken and egg here, because, if you think about it, you’re getting a verification to verify a third party. What guarantee do you have of the different verification tool itself? You need to verify it as well. It’s kind of a paradox,” said Nahum. “We resolve this paradox by saying, listen, this is open source, and you can compile it yourself. And after you compile it, put it in any of your Artifactory or your binary storage, so you can be sure that the chain of trust is not broken. The chain of trust always starts from you. That is the only way you can be absolutely sure that the complete chain is trusted.”
In creating Preflight, Nahum said that they made sure to keep the project simple, that way it could be reviewed by “a normal developer that doesn’t have domain knowledge,” which is part of the reason that they chose the Go programming language. They also made sure that Preflight itself was secure by making sure it does not have any network dependencies.
“It’s [Go language] kind of the language of infrastructure,” said Nahum. “People’s eyes are trained on reviewing Go source code for matters of security. We took all of that into account, and picked the language that would actually correlate well with the ecosystem, in this case, cloud native. And so, any pen tester that does a review of a Cloud Native Computing Foundation project, it’s written in Go, and everything kind of clicks into place.”
Given that Preflight’s location in the software development lifecycle is toward the end when a binary is created, Nahum said that he expects there is potential moving forward to integrate Preflight with other security information and event management (SIEM) tools. For example, if a number of CI builds all fail at once, he said, it could signal that an attack is imminent, and this sort of information could be used to alert the end-user.