When:
to
Room:
Room 3 (129-130)
Track:
SVG
drupal starshot

Supply Chain Security in Drupal and Composer

Supply Chain Security in Drupal and Composer

Christopher Gervais (Ergonlogic), Nils Adermann (Naderman), Neil Drumm (Drumm)

In the modern world of 'software built elsewhere' and complex dependency trees, supply chain security is more important than ever.

Together with Nils Adermann, co-creator of Composer, we will learn what supply chain security means in the PHP ecosystem, and then explore the pioneering initiatives of the Drupal Association to fortify Drupal sites against evolving threats.

We'll survey The Update Framework (TUF) and its protocols to ensure package integrity. We'll then showcase the robust Rugged TUF Server and Composer TUF plugin, that together help to safeguard the Drupal community, and are an essential part of the Automatic Updates Initiative in Drupal Starshot.

Come see how we're shaping the future of Drupal security.

Prerequisite
- Familiarity with how Composer is used to install package dependencies
- Basic understanding of deployment processes
- Basic understanding of web application security fundamentals
- Knowledge of Drupal deployment and update best-practices would be beneficial.

Outline
Everyone has heard of supply chains at this point, but what exactly does that mean for a PHP project, let alone a Drupal project? This talk will provide concrete advice, as well as a deep dive into how Drupal AutoUpdates are being built with security first in mind.

1. Introduction: What is a software supply chain? What are software supply chain attacks? How are Drupal sites vulnerable to such attacks?

2. Composer: Learn how Composer, packagist.org and Private Packagist come into the supply chain conversation, and what role PHP dependencies play.

3. The Auto-Updates Initiative: The Drupal Association has been a leader in developing solutions to address these threats. Chief among these are the development of tools to help smaller Drupal site operators keep their sites up-to-date.

4. The Update Framework (TUF): Coming from an academic analysis of supply chain attack vectors, the TUF Specification outlines protocols for generating metadata that can be used by clients to verify that the packages they are downloading haven't been tampered with by bad actors.

5. PHP-TUF Composer Integration Plugin: The Drupal Association sponsored the development of an extension to Composer that verifies each module, theme and profile downloaded from drupal.org.

6. Rugged TUF Server: The Drupal Association also sponsored the development and security audit of the Rugged TUF Server. Its architecture was designed to keep the signing keys used in generating TUF metadata isolated and secure, while keeping up with the needs of the drupal.org packaging pipeline.

Learning Objectives
- A basic overall understanding of supply chain security
- A better understanding of Composer's features and behaviors affecting supply chain security
- Learn best-practices for securing Drupal sites against supply chain attacks
- Learn how the Drupal Association has been building solutions that will protect the entire Drupal community from supply chain attacks