 Cholj, sreči, da so vzeljati na to spet. Sreči, kaj je začnečnjačnja začnečnja in ozvrčenjosti v pođenju PHP ekosistemu? Prijevamo, da znamo vse prijev. Mi je Paolo Menardi, je košnjavčen in sejstvo spartfabrik. Spartfabrik je in jazilja krepati, kaj si se dačenjo, da je tudi včak, evo odbavimo na Ideli, izvajem vom klavne, in začenjo in z vsejstveni infrastrukturo, ič v spetu na kuburneti. We maintain some Drupal models as well, maybe the most famous one is web profiler from Lukalozo, he is here as well. And he has a presentation tomorrow on how Drupal builds pages. It's a very interesting deep dive. I suggest you to follow that talk is tomorrow. I am also part of the advisory board of the Linux Foundation Europe. LFE is a new born foundation. The European branch of the Linux Foundation. with mission to accelerate the growth of open source in Europe fostering open source open standards in the European market. Of course you can visit the Linux Foundation of the U, if you are interested about the ongoing project and how to be involved as a contributor or if you have an open source project to be hosted there. You can also find me on my personal blog, palaminärdi.com or the other social channels you see on the slide. Well, let's get started. V seži sem stačno da bi bilo predv霧u, ki je to začelega vsega vsega sepljava, če je to so več ovo vsočen. Na vse začalj svojeh ekosistem in tezmi, in vidišči, ki smo lahko nega začeli, nekaj lahko vsega ignače, tezmi testenče, ampak ni bov, tezmi delmu materijali. Vsega č霧u imam demo, da bi se videl, kako tezmi tezmi vsega vsega vsega vsega, demo je izgleda video, sem je zlice izgleda del, por聞ido, da zdajš, kot sem sreč v sprade, in hrežem vendim, da v vse vyšel jaz dobro izbrataj boj, s ko ga plisem v vse. Tudi budeš pa vse ostavljena, boj, da se leti na vse boma, z deja boj, da se ven barac, z kateri boj pri srečitih krati je barac, da ga postavljete. Bi srečailo, da vedel jas na srečitih rež plenty in ga postavljen je vse, as a PlayChain is a network of individuals and companies who are involved in creating a product delivering it to the consumer. It is generic enough to accommodate everything, basically, any product from a couple of shoes to a software product of any kind, including Drupal, but open source software has a unique characteristics that differentiate it a lot from all the other industries and products. This diagram comes from the Salsa framework SLSA.dev, which is an open source project created by the OpenSSF Foundation, which is a branch of the Linux Foundation. This project is not a software framework. Instead, it's just a checklist of best practices that we can gradually adopt it to improve the integrity, reducing tempering risks, and finally improve, as well, the security posture of our packages and infrastructure. As you can see, there are three main groups in which the threads are categorized, source, build, and dependencies. Attackers today commonly exploit dependencies, which remain the weakest link in the security chain. It is estimated that a modern project has an average number or more than 500 packages, dependencies today, and over 90% of our code in our products is not actually written by us. So now you can imagine how much we depend on unknown actors and how large the attack surface is just on this side. But attacks can occur at any link of the software supply chain, not just dependencies, and these kinds of attacks are increasingly public and disruptive, like the cases SolarWinds, CodeCoV, or Octa, and many, many others. I will show you something about SolarWinds in the next slides. But now, try to imagine the subset diagram that we just saw applied to a modern Drupal application. We, of course, start by installing Drupal. Typically, we need to install additional Drupal country modules and other composer dependencies, then depending on how we build Drupal, we will need the variable amount of JavaScript dependencies to build our team or other services. In addition to that, we may require other tools, such as Python, Go, Rust, for implementing AI or such or other stuff we need. On top of that, we have our operating system, which is strictly bound to our application. We may need system libraries for compiling PHP extensions. We may need a specific kernel or other custom binaries, such as the tools we use in Drupal, for example, to convert images. It's a very common case. Then we usually have CACD systems with many jobs to do code linting, to do QA, to run tests, to collect metrics, and so on and so forth. Another very common case is also integrating external services to do these kind of things on our code base, like code covers, code climate. And this means giving basically full access from the external to our code base to our systems. Then we have to ship our application on the cloud. We have several options today, like AWS, GCP, Azure, whatever we like. And when using cloud platforms, today we have the flexibility to choose from a wide range of services to deploy the application. The services may include Kubernetes, object storage for all the assets, many kind of database, my SQL Postgres, Redis, Memcache, Lambda functions, and so on and so forth. And lastly, we have our local or cloud development environment, which is today another word agglomerate of external dependencies to extending your editor with VS Code extensions or if you use VI, VI models, or whatever we use to add feature to our environment, they are dependencies as the dependencies we use in our applications. And it's also very common that we have access to the cloud platforms from our development environment, maybe to the bug, to see the logs, to check the metrics and such. As we have already seen in the Salsa diagram, no point in this chain is free of threats. Especially when the map of services is so complex and interconnected together. What we see here is maybe the biggest case in the history of cybersecurity attacks. This was indeed the case which sparked the global interest around the secure software supply chain, especially in the open source world. This case happened in 2020 to this company called SolarWinds. They are a major IT company based in the US and one of their flagship product called Orion, designed to do network monitoring at large scale for data center, was compromised by a malware, which was then shipped to all SolarWinds customers as a regular standard security update. It was later discovered that this kind of compromise was in the SolarWinds build system, especially in the point C of the Salsa framework, where a very sophisticated malware was designed to activating itself and injecting malicious code right before the compilation phase. This attack went undetected for four months and from that point on, all the new versions of Orion contained this kind of malware that was designed just for spying reasons. The biggest tech giants like Microsoft, Intel, Cisco were affected, but even the most important national security agencies like the Pentagon, the Homeland Security, the National Nuclear Security, and many other important agencies, public entities, private entities and worldwide national states. This case was so big and concerning that the US Congress invited the CEO of SolarWinds and the president of Microsoft to testify in the case at the Congress to understand why companies that are supposed to protect us from cyberattacks was, instead, theirself victims of a long-running, a large-scale attack like this. Since 2019, these kind of attacks have increased by more than 700% per year. There are several reasons behind these. First and foremost, there is a great global demand for open source, which is good as we work in this field, but open source projects today, as I said, requires thousands of external dependencies to build a new product. And usually, projects lack proper security tools or even the knowledge of the complete set of dependencies we are using to build our software. But even improving an invention of new attacks like typosquoting, dependency confusion, injection of malicious code, and recently even the protests were attacks where autora projects basically sabotaged their project to protest against something. There were two famous cases, the Node.js libraries, Colors and Faker, who had this kind of attack. And these attacks, as you can see, have also a big global economic impact. Luzes have already estimated to be around 46 billion and are expected to exceed 80 billion by 2026. And all these reasons together led government to work on new cybersecurity laws. US government started first promulgating the national cybersecurity strategy just a month ago in March 2023, which is a long-term strategy to improve the security posture of organizations and explicitly talking for the first time about making software vendors liable for insecure software. And software vendors will also be required to satisfy new security requirements, specifically designed for supply chain lies, such as publishing software below materials alongside their software products. The EU Commission also worked on a law that is called the Cyber Resiliency Act, the CRA. You'll probably hear a lot about this in the next few weeks or months. The proposal of this law is very good, and it wants basically regulate all the products that incorporates digital elements, which includes any product that can run software, basically. It is the equivalent of the CE mark we see in the electronic device, but specifically designed for software. The implementation of this law has caused a major concern within the open source communities right now, because even if there are specific exclusions for open source, the boundaries who will be liable for are not yet quite clear. In fact, in the current form, everyone who publishes software via the Internet is potentially liable for CRA penalties, and they are quite big in some cases. If you're interested in this subject and you should working on this field and you would like to learn more or stay engaged, you can scan this QR code or follow the link to subscribe. This will keep you informed about the latest CRA updates from Linux Foundation Europe and other open source foundations. The good news is that also the response from the community has been strong and very coordinated. We see here a bunch of logos of products, tools, new foundation, new standards or improved standards with the aim to assist companies, professionals, public and private sectors to create a more secure software industry. Go together. Well, let's see now the state of the PHP ecosystem and how much is affected by all this issue we have seen so far. I want to start by looking at the history of package management in PHP. This is an history who begins in 1999, so many, many years ago, when Stig Becken wanted to include in the PHP runtime something to manage in a programmatic way, external and high quality dependencies. The name of this project was Pair, which stands for PHP, extensions and application repository. It was, for the time, a very, very innovative project. As you can see in the timeline, PHP has been the first of the big mainstream programming languages to introduce a native package management system. In 2009, two big milestones happened in the PHP ecosystem, the introduction of namespaces in PHP 5.0.3 and the creation of the first outloading standard, pse0, from the PHP fig group, which is a group focus on defining interoperability standards between frameworks. Thanks to these two new innovations, a new and a modern package management manager was invented, it was Composer, I guess you all know it, but the question is why a new package manager was even created. We already had Pair. Well, Pair was created in another era of computer programming before the invention of Git and the popular coding platforms like GitHub, GitLab and such. In fact, Pair packages are moderated by the Pair team, meaning that you cannot simply publish a new model on the default Pair channel by submitting your app. There were also other big technical limitations, such as not having a bundle or a log file to describe your dependencies and make your code reproducible. As we can see from the graphs, Composer quickly became a big success with a broad adoption. Today it costs more than 300K of packages and over 3.5 million of revisions with more than 2 billion installed packages monthly, so very, very big numbers. And now, let's see how Composer work right now to protect us from supply chain attacks with its built-in security features. We begin when install a new package on Composer we begin by defining a namespace such as Drupal, followed by the library name and its version and as you can see all the vendor namespace packages are allowed to be installed and this is very important very good security feature because it reduces a lot the risks behind typosquatting attacks. The code on Composer is always hosted on a git repository and only metadata goes on packages.org. This is another significant security advantage as it reduces the risks of code tampering. Anyway, the possibility of tampered metadata is still coming from the package and the packages repo it's still an actual risk. And then Composer allowed us to define multiple repositories in addition to the default public one exactly as Drupal does with packages Drupal.org repository and when it is present, these repositories are considered canonical by default. This means that if a package name is found in a custom private package repository then versions from debt repositories are loaded. So we are not affected by another popular attack called dependency confusion that is hitting very hard other package managers like PiPi or MPM and so on and so forth. Anyway despite all these Composer built-in security features already in place many supply chain attacks have been conducted against Composer and Pair in the last two years as you can see and all of them were very dangerous too. For example in May this year an incident occurred on Composer when someone gained access to an inactive user account becoming a maintainer for at least 14 packages. You can see more on the link on the slide in Composer blog. So what are we doing? Where should we start to secure PHP software supply chain? I guess that the first step we have to do is to look at our application and all its dependencies the world dependencies map as a single unit of code and the way to achieve that not reinventing the wheel it is by using of CI containers or aka Docker containers. They allow us to define our application all its dependencies in a reproducible way using Docker files and they are very easy to move between environments from your local machine to the cloud or to your colleagues. They also allow us to rely on existing cloud native ecosystem of tools to generate for example software bill of materials, digital signatures and scan for vulnerabilities and so on and so forth. Another important aspect is that container today are also very useful for development in dev, maybe most of you is using it Drupal pod, GitHub code spaces, recently even GitHub and so on and so forth. Containers today basically are the lingua franca of software packaging. Let's see now how, what are the OCI images and how they work. OCI stands for open container initiative. It is an initiative to define standards around container technologies such as runtime image and distribution and an OCI container can store any kind of file including arbitrary files of course, not just what is defined by a docker file and we see in a moment why this feature is important. So the question now is how an OCI container can help us to improve the trust between has and a digital artifact. How can I be sure that what I am running is coming from a trusted source? Well, this is essentially the same question that Ken Thompson posed in 1984 in his famous paper, Reflections on Trusting Trust and that's where it was quite simply, we cannot really trust the code that we don't totally write ourselves. Instead we should put more trust on the people who wrote it. So, to wire the bar of trust we need to know at least when and how using things like digital signatures and provenance attestations, for example and we also need to know the list of things who made the artifact basically like the list of ingredients we require when we buy some food, for example and using digital signatures with key pairs we can solve the first set of problems because they ensure integrity, authenticity, no reputation, which are the key elements to building trust between actors. But the problem is that managing keys is very hard, it's a tough task. We have to distribute the keys to our users, we need to keep our private key in a very secure place, storage and when compromised, not if we have to inform all the involved users to use the new key, to the prekated old one and so on and so forth, super complex. This is why digital signatures today are not yet widely used by developers even though they have existed for decades. But there is a new project called SIGSTOR from the Open SSF foundation aimed at resolving all those issues with the goal to become what less encrypt has been for TLS certificates. It is a very fast growing community, it is already mainstream adopted, such as Kubernetes, many other big vendors like Github, NPM, GithLab, Ruby, Arch and so on and so forth. So the success of SIGSTOR is mostly driven by it's very innovative features like the keyless signing it means not having any more keys to sign an artifact it works by using your public identity, like Github, Google or whatever open ID provider supported to generate a short lead certificate and use it to sign on your behalf so you don't need keys basically. Another important feature is that signatures are stored alongside the OCI registry, you remember the feature I mentioned before, so you don't have any more distribution issues because anyone knows that the signatures are in alongside your docker image basically. The other key element in the software supply chain are the software below materials known as BOM, they represent a list of ingredients who made the artifact and you can use it to do things like vulnerability scanning license policy, find abandon dependencies, whatever and generating as BOM is a very complex problem to solve because dependencies are managed by different package measures at different layers and they differ a lot on how they package stuff even just the Linux distributions have many kind of package types even if they share maybe the same package type they apply patches so they release things with custom versions depending on the distribution language, you have PHP, you have JavaScript, you can have Python and so on and so forth. There are of course various tools available that we can help that can help to generate this BOM. The most advanced you can use today are SIFT, 3V and even docker now has a built-in as BOM generator which eliminates the need to install something, another tool and today we are announcing Drupal below materials. It is a very simple module very easy to use for generating a full software below materials for your Drupal installation. I will show you how it works shortly. Well, finally demo time, we are going to see mainly three things here how to sign a Drupal container image with sixor, how to generate and attach this as BOM for the container to the registry. In the second part I will show you this new Drupal module we are developing to bring together all these technologies and make them easily accessible from any environment dockerized or not. To demonstrate all how all this stuff works, I will deploy the container on a local Kubernetes cluster which has some security policies which will allow me only to deploy containers with containers and with as BOM attached. You can use this QR code to access the GitHub repo containing all the code to replicate this demo and how the things are implemented. All right, let's move to the video. We start by building our docker file basically as you can see it's a Drupal 10 1.5 we installed some composer dependencies, we installed javascript dependencies and system dependency then we installed two binaries because we need it in this application and we do run some scripts, it's quite simple easy peasy. We build our image we now are going to push this image to our docker registry and now we try to deploy this container to our Kubernetes cluster and as I said this cluster is running a security controller security policy controller which deny me to deploy this container because we are missing basically the signature and we are missing the as BOM. Let's go to fix all these failures and we are using a tool from the sIG store ecosystem which is cosine and as you can see we just passed to cosine tag and now we start the keyless signing process I log with my github account I trade my identity for a short leave certificate that cosine will use to sign my container and it's done now if I go to check my docker registry I can see that I have two tags one is my image, the other one is the signature so no more distribution issue in fact if you use cosine verify command with the image with the tag anyone can see who signed this image and in this case it was me of course there is my mail I know that the issue was github maybe I can provide some security policy to restrict just to some open ID profile and now I try to deploy again my container to the Kubernetes cluster and as we you can see now we have just one error because the sbomb is missing and now we are going to generate an sbomb using a tool which is sift from the enter company and it's super easy to use you just need to pass to the tool your image and the tag it will scan all the layers and you will see all the packages is told on this container as you can see the container was quite small we stole just four composer dependencies we stole the one and node npm dependency we stole two binaries and the result is that we are shipping somewhere a container with more than 3k packages a lot now to attach it to our container we are going to generate the sbomb in another format in the X there are several I choose this one not for any specific reason and it's a JSON format it's perfect it's machine readable and it contains a lot of information more than the table we saw before of course as the license is the author where it has been found inside the container for example now we are checking the web profiler module and now we know the license pure is the name and so on and now what we are going to do is attaching it means pushing this sbomb automatically using cosine we are going to attesting using the lingo of cosine this file to our docker container pushing it to the docker registry and signing it so we attest our image we pass as predicate the file we have just generated Drupal sbomb and now we just say to cosine that the type of this file is a second ex file and now we start the keyless signing process because it will signing it with my identity and push it to the registry so I am sure that who has generated the sbomb was me but now if you are checking the docker registry we can see that we have three tags one is our docker image 100 the other one was the signature and the third one is the sbomb and now finally we try again to deploy this container to our Kubernetes cluster hopefully it will work I know because it is a video ok it worked it worked, wow and now the second part we are going to use just Drupal to generate the sbomb from the Drupal instance using our new model Drupal I am going to check that the composer file basically contains what you saw in the docker file before we are just using a composer it is a module you can install it from Drupal.org it is still in the development phase not yet released in any kind of version we install it with drash and now it is ready to be used we can go to admin reports sbomb we can see that we don't have yet generated sbomb we are going to generate it of course wow and now we know that in this installation we have 1000 npm packages 1.net binary I didn't know what is that one maybe from composer I guess 54 github actions and more than 200 PHP composer files and the result is this one we have a lot of packages just for standard Drupal default installation for composer modules we can download this sbomb of course we can use it as well with drash of course because maybe you want to use it programmatically, you want to use it in your CI there are two commands right now one is download the other one is to generate a new one now we are going to generate a new sbomb with drash we are going to save it in a file and now we are going to inspect this file to see the content just to be sure that everything worked as expected we check again the web profiler module ok everything is inside we are going to check the npm libraries as well to see what are and where where are they come from and now with once you have an sbomb you can do many stuff and one of them is for example selecting for known vulnerabilities like this using another tools which is gripe there are many and you just pass your sbomb to gripe and these tools will download the public CVs to understand if your packages your installed libraries are vulnerable with something now we have a new data that we have 29 vulnerability meshed 3 critical 59 11 medium of course you have to take with a grain of salt this kind of information because CVs are quite flawed sometimes maybe you are not really in danger with this kind of vulnerability depending on how you build application but this is data maybe someone can request you to provide this kind of information from your Drupal it works by relying to CVs binary so you need this one for now and it can generate the sbomb file in different formats then it will be saved in Drupal to get the most of it to do data reporting etc. that's it say welcome to Drupal as we briefly saw during the demo this model allows you to generate a full sbomb of a Drupal installation parsing PHP and all the other dependencies found inside the codebase it is still in early stages of development and any contribution is more than welcome to do things like vulnerability scanning with gripe for example better data reporting more sbomb formats, CI tests and so on in fact let me remember the contribution opportunities at rooms 4.1 and 4.2 till the end of the conference so to conclude just some takeaways as we saw a lot of stuff OCI containers simplify a lot software packaging I invite you to use it providing free access to modern cloud native tooling so with SIGS or with SIFT with gripe to sign to generate sbomb to check for vulnerabilities and such and we have a new model Drupal to finish two important points that we didn't see in the demo but they are very important I invite you to automate your dependencies management with tools like github if you are on github or better using an open source project which is renovate bot on all other platforms including github and finally you can try to use this model this composer library Drupal security advisories composer library that you find on github we are helping to maintain which once installed will inform you how to create a package about known vulnerabilities of these modules using the Drupal security advisory database information so it's quite good it's easy to use you have just to install it so thank you