Supply Chain Security in Drupal and Composer
Supply Chain Security in Drupal and Composer
Everyone has heard of supply chains at this point, but what exactly does that mean for a PHP project, let alone a Drupal project? This talk will provide concrete advice, as well as a deep dive into how Drupal AutoUpdates are being built with security first in mind.
1. Introduction: What is a software supply chain? What are software supply chain attacks? How are Drupal sites vulnerable to such attacks?
2. Composer: Learn how Composer, packagist.org and Private Packagist come into the supply chain conversation, and what role PHP dependencies play.
3. The Auto-Updates Initiative: The Drupal Association has been a leader in developing solutions to address these threats. Chief among these are the development of tools to help smaller Drupal site operators keep their sites up-to-date.
4. The Update Framework (TUF): The TUF Specification outlines protocols for generating metadata that can be used by clients to verify that the packages they are downloading haven't been tampered with by bad actors.
5. PHP-TUF Composer Integration Plugin: The Drupal Association sponsored the development of an extension to Composer that verifies each module, theme and profile downloaded from drupal.org.
6. Rugged TUF Server: The Drupal Association also sponsored the development and security audit of the Rugged TUF Server. Its architecture was designed to keep the signing keys used in generating TUF metadata isolated and secure, while keeping up with the needs of the drupal.org packaging pipeline.