Murphy security officially released the open source project murphysec, focusing on software supply chain security governance

Time:2022-6-19

Two questions first

  • Does your company buy a bucket of water from the supermarket and test it before drinking it? Do you worry about being poisoned by people?
  • Your company’s programmers introduce an open source project or component from the GitHub clone into the online project code to run. Do you worry about security vulnerabilities? Do you worry about software poisoning?

The application of open source technology has become the core driving force for a new round of industrial digital upgrading

“Welcome the digital age, activate the potential of data elements, promote the construction of a network power, accelerate the construction of a digital economy, a digital society and a digital government, and drive the transformation of production, lifestyle and governance with digital transformation as a whole.”

This is the fifth part of the national “fourteenth five year plan” about accelerating digital development and building a digital China. Software application is a necessary basic element for building digitalization. With the continuous promotion and deepening of the process of digitalization reform, enterprises and social organizations’ demand for supply chain software is increasing day by day. Among them, both open-source software and closed-source commercial software have been introduced in a large number, and the introduction of these supply chain software undoubtedly brings more and more potential security threats to enterprises.

Open source software is widely introduced by enterprises

According to statistics, the number of open source projects in 2020 has nearly tripled compared with that in 2015. More than 88% of enterprises in China are using open source technology. The proportion of open source code in software code has increased from less than 40% in 2015 to more than 70% in 19 years, greatly improving development efficiency and accelerating the pace of innovation.

Software supply chain attack has become a major threat to countries and enterprises

With the application of open source technology, the complexity of the international situation, the diversification of the software supply chain, and the sharp rise of attacks in all links of the supply chain, the security risk of the software supply chain has become the main security threat to enterprises and organizations. At present, the whole process of open source software production, distribution and use lacks effective risk management and ecological governance capabilities, resulting in frequent major software supply chain security incidents worldwide in recent years, which undoubtedly brings great uncertainty to the stable development of enterprises.
Murphy security officially released the open source project murphysec, focusing on software supply chain security governance

  • In december2020, a backdoor in solarwinds’ software update package led to the intrusion of customers. This incident affected thousands of institutions, including the U.S. National Security Agency and the U.S. Department of energy.
  • In March, 2021, a researcher successfully invaded the internal systems of 35 important companies, including Microsoft, apple, PayPal, Shopify, Netflix, yelp, Tesla and Uber, using “supply chain” vulnerabilities (the way of preempting the names of internal components).
  • In December, 2021, the log4j2 vulnerability broke out. Murphy security lab made a statistical analysis on the layer 1 ~ 4 dependencies of log4j2, and found that a total of more than 173104 components were affected by the vulnerability.
  • In March, 2022, Murphy Security Lab launched the global early warning for spark&hadoop rce vulnerability and spring cloud expression injection vulnerability for two consecutive days; Then ant security researchers discovered the spring framework remote command execution vulnerability.

These are only events and vulnerabilities with great impact. In addition, there are dozens to hundreds of new vulnerabilities in common components exposed every day. These are potential threats to the supply chain software that enterprises rely on. What we see behind this is a security threat with the same high infectivity, lethality and mutation ability as novel coronavirus. The only difference is that novel coronavirus affects the human body, and these vulnerabilities and defects affect any enterprise connected to digitalization in the world.

About us and Murphy’s safety

The founding team members of Murphy security are all enterprise security construction teams from Baidu, Huawei and shell. In the past decade, we have been engaged in enterprise security construction. No matter which company we are in, each of us has experienced too many late night “security incident emergency response” and “vulnerability analysis”. Of course, we often tear X with our R & D classmates because of fixing a vulnerability. Over the past decade, we have been dealing with code and vulnerabilities almost every day for more than 3000 days and nights. We also hope that the software produced by every engineer is as safe and healthy as the mineral water we drink today. We don’t have to make a “safety assessment” for every bottle of water we buy.

Can the software supply chain be as safe and secure as the traditional supply chain that produces mineral water

Let every developer use open source code more safely, and let every enterprise manage the software supply chain safely. It was our initial idea to do this. In the early days of Murphy security (about may2020, when the open source project was launched), there was another name, gokusec. Later, we found that this name seemed to be used by other companies, so we renamed it Murphy security. A question we have been thinking about in this process is: how can we establish an effective governance security capability for the software supply chain ecology, and what can we do?

I wonder if you have thought about the consequences if there is no such tool as nucleic acid detection when the COVID-19 breaks out? Maybe we can’t find out who got the new crown in time, the people around us can’t prevent and control in time and effectively, and the sick can’t get timely and effective treatment. In fact, all the prevention and control mechanisms established today are empty talk. The application of open source components is very extensive and has very complex dependencies, which makes the vulnerabilities of open source software, like the novel coronavirus, have strong infectivity, lethality and mutation ability. Today, if we want to effectively control the new crown in the software supply chain, it seems that the first thing we lack is a nucleic acid tool for detecting vulnerabilities and defects of open source software? It should have good accuracy, ease of use and low cost. This is the core concept of murphysec, an open source project launched by Murphy. It provides an easy-to-use, professional and efficient code security detection tool for every software developer. Of course, it would be even better if it also has the effect of a specific drug.

About muphysec

Muphysec is an open source software security detection tool developed by Murphy. It is committed to making every developer use open source code more safely.

Product features: easy to use, professional and innovative

That’s all for now. First, go to the link (issues, PR, star are welcome):

  • Open source address: https://github.com/murphysecurity/murphysec
  • Product official website: https://www.murphysec.com/

Core functions

1. assay: accurately identify open source components that are directly and indirectly dependent in the software
2. seeing a doctor: accurately identify the security vulnerabilities and license compliance risks of these open source components
3. treatment: provide developers with simple and efficient one click defect repair capability

Supported languages:
Currently, it supports the detection of Java, JavaScript, golang and python language projects, and will gradually support other development languages in the future.

Detection principle

  1. For projects using different languages / package management tools, the tools mainly use the method of project construction or directly parsing the package management file to accurately obtain the project dependency information
  2. The dependency information of the project will be uploaded to the server, and the dependency with security defects in the project will be identified based on the vulnerability knowledge base continuously maintained by Murphy
    Murphy security officially released the open source project murphysec, focusing on software supply chain security governance

    Note: the tool will only send the dependencies and basic information of the detected items to Murphy security server to identify the dependencies with security defects, and will not upload any local codes.

install

Visit the GitHub releases page to download the latest version of Murphy security cli, or execute the following related commands:
Installing on Linux

wget -q https://s.murphysec.com/install.sh -O - | /bin/bash

Installing on OSX

curl -fsSL https://s.murphysec.com/install.sh | /bin/bash

Install on Windows

powershell -Command "iwr -useb https://s.murphysec.com/install.ps1 | iex"

use

  • Execute murphysec scan [your project path] to complete the start detection

Murphy security officially released the open source project murphysec, focusing on software supply chain security governance

View results

  • Execute the command to add the –json parameter. You can output the test results in JSON format for viewing
  • You can also view detailed test results directly on Murphy security platform

    • View dependency information
      Murphy security officially released the open source project murphysec, focusing on software supply chain security governance
    • View the detection results (provide disposal suggestions, the minimum repair version of defective components and rich vulnerability information)
      Murphy security officially released the open source project murphysec, focusing on software supply chain security governance

IDE detection plug-in

An IDE plug-in developed based on Murphy’s open source security detection tool helps developers detect security problems that code depends on in the IDE, easily identify which open source components with security defects are used in the code, and quickly solve security problems through accurate repair solutions and one click repair functions.

Plug in official address: https://plugins.jetbrains.com/plugin/18274-murphysec-code-scan

Support functions

  • Vulnerability detection: detect defective components introduced in Java (Maven), JavaScript (NPM) and go code
  • One click repair: it not only has a clear repair scheme, but also can be quickly repaired through this function
  • Real time detection: Code dependency changes cause security problems. Don’t worry. The plug-in will prompt you to handle them in time

install

  • Search “murphysec” in the IDE plug-in market to view details and install
    Murphy security officially released the open source project murphysec, focusing on software supply chain security governance

use

  • Select “click to start scanning” to detect which security defect components exist in the code
    Murphy security officially released the open source project murphysec, focusing on software supply chain security governance
  • Click the component in the test result to view the basic information of the defective component
  • Click “one click repair” on the right to directly upgrade the component to “minimum repair version”
    Murphy security officially released the open source project murphysec, focusing on software supply chain security governance

    Detailed instructions to view documents

More usage scenarios

1、 Gitlab code base detection tool

Based on the development of Murphy security open source detection tool, it can help you quickly detect all projects on the enterprise gitlab

Tool address: https://github.com/murphysecurity/murphysec-gitlab-scanner

function
  • Automatically pull the code on gitlab for detection
  • Support incremental code detection (based on gitlab webhook function)

    use
  • Latest code of pulling tool
  • Execute commandpython3 scan_all.py -A [your gitlab address] -T [your gitlab token] -t [your murphysec token]

    Parameter description
  • -A: Specify your gitlab service address
  • -T: Specify your gitlab personal access token
  • -t: Specify your Murphy security account access token

2、 Jenkins integrated security detection capability

Murphy security open source detection tool can be integrated into Jenkins to improve the security quality of online code
Integration mode

1. install Murphy security open source detection tool

Install the latest version of Murphy security open source detection tool on Jenkins machine, visit GitHub releases page to download, or execute the following command:

wget -q https://s.murphysec.com/install.sh -O - | /bin/bash
2. set Jenkins global credentials

Add Murphy security access token to Jenkins global credentials
Murphy security officially released the open source project murphysec, focusing on software supply chain security governance

3. modify jenkinsfile

To add Murphy’s open source security detection tool to pipeline, you need to add a stage in jenkinsfile. The example is as follows:

pipeline {
    agent none
    stages {
        stage('MurphySec Scan') {
            environment {
                API_TOKEN = credentials('murphysec-token-key')
            }
            steps {
                sh 'murphysec scan . --log-level debug'
            }
        }
    }
}

Recommended Today

R use lasso regression to predict stock returns

Original link:http://tecdat.cn/?p=4228 Original source:Tuoduan data tribe official account Use lasso to forecast revenue 1. examples As long as there are financial economists, financial economists have been looking for variables that can predict stock returns. For some recent examples, consider jegadeesh and Titman (1993), which shows that the current return of stocks is predicted by the […]