Using Bard to Secure the Software Supply Chain

Hayden Smith • Mar 12, 2024

SBOMs, CTI, and I

Staying ahead of potential exploits and vulnerabilities within source code is vital for organizations to outpace many of the threats persisting in the threat environment today. Luckily, using some creativity and Bard, AKA Gemini, we were able to fuse cyber threat intelligence, SBOMs, and Google Drive to offer a transformative approach to integrating cyber threat intelligence into the software development lifecycle. Today we will make Bard our cybersecurity assistant, leveraging its capabilities so that we can demonstrate how developers and security teams can proactively identify, understand, and mitigate potential vulnerabilities in your code.


There are several types of threat intelligence including:

  1. Strategic Intelligence: Provides high-level insights into the broader threat landscape, such as emerging cyber threats, geopolitical factors influencing cyber activity, and industry-specific risks.
  2. Tactical Intelligence: Focuses on specific threats and adversaries, including IoCs, malware analysis, and threat actor profiles. This type of intelligence helps organizations identify and respond to immediate threats effectively.
  3. Operational Intelligence: Offers real-time information about ongoing cyber threats, such as indicators of active attacks, compromised systems, and vulnerabilities in the organization's environment.





This experiment was simple. Take OSINT threat intelligence blogs and shove them in Google Drive. Take SBOMs and vulnerability scans to shove in Google Drive dumping those into txt files within Google Drive. This was pretty easy, for demo purposes, I only did 10-12 SBOMs that I knew had vulnerable packages.


Leave the rest to Bard.


Bard's ability to process vast amounts of cyber threat intelligence and contextualize it in relation to an organization's specific software environment is a game-changer. This is a great use of GenAI as it helps summarize and describe hundreds of pieces of threat intelligence contextualized as various blogs. Also, I hate reading. Bard doesn’t.


I thought of generating vulnerability scans, but that honestly would be a waste of time. Bard can tell me what is vulnerable. With access to a comprehensive database of known vulnerabilities, exploits, and threat actor tactics, Bard can analyze bits of SBOMs that I provide to detect packages that may be vulnerable to exploitation. If I baked this into a pipeline, it could easily enable teams to address issues before they can be exploited by malicious actors. Additionally, Bard can suggest relevant patches or remediation strategies, drawing from its extensive knowledge base to provide tailored remediations/recommendations. This was one of my favorite use cases. For example, even if you have 2 vulnerabilities you have to remediate, you are probably going to spend at least an hour familiarizing yourself with what the bug/vuln is, what the mitigation/patch is, why this is an issue in the first place, and what the proper next steps are. This saved me a lot of time that I would be using to power-click through scan results I received as an output from a scanner.


Moreover, Bard's utility extends beyond mere vulnerability detection. It can serve as a continuous learning tool for development and security teams, keeping them informed about the latest attack trends, IoCs, and other emerging threats. I really enjoyed asking Bard questions about different vulnerabilities tied to specific threats. In which case, Bard would return a wealth of knowledge on the APT group itself, if the group has been seen exploiting that vulnerability/package in the wild, as well as any TTP's associated with that group. This was very impressive from a context perspective, but it also helped go through hundreds of vulnerabilities flagged as “high” or “critical”, but ended up not being actively exploited and had no exploit available. This was easily assembled into a POAM that I could store for a rainy day.


Bard represents a significant advancement in the intersection of AI, software development, and cybersecurity. Its ability to analyze parts of SBOMs in the context of the latest cyber threat intelligence offers a proactive approach to identifying and mitigating vulnerabilities. As the software attack surface evolves constantly at every stage of the SDLC, tools like Bard, and Generative AI in general, will become indispensable in the ongoing effort to build truly resilient software supply chains to assist developers in understanding the applicable threats relevant to their code.

Where the Wild Things Are: A Complete Analysis of Jia Tan’s GitHub History and the XZ Utils Software Supply Chain Breach

By Hayden Smith 02 Apr, 2024
The following is a story about the recent XZ Utils security breach and how things came about. For more context on the exploit, take a stroll over to here . What can I say? My mother only read me picture books growing up. Once upon a time there was a software developer, belonging to a nation-state that was an extremely patient and persistent attacker. They created a GitHub account on January 26th 2021.

Software Supply Chain Defense: Colorama, GitHub, and More

By Hayden Smith 26 Mar, 2024
Recently, there was an attack targeting 170k+ GitHub users in a very complex attack that leveraged a lot of different tricks in the book including stealing session cookies, account takeover, dependency confusion and dependency hijacking just to name a few. I think all of the NVD drama drowned this out, but it's a pretty damning indicator of persistence to commit a software supply chain attack by adversaries which have planted this since *squints at watch* early February! Attackers are patient and can fool anyone, even maintainers who are the trusted guardians of a repository. Today, we will discuss lessons learned from the attack and some easy things your teams can do to protect their organization. 1. Anyone can be a target. Yes, that means you: Again, we are really cautious about putting out any FUD, but when we find a package as widely used as Colorama, anyone can fall victim to an attack as widespread as this which impacted just your every day developers doing their own projects after logging off of the 9 to 5. It’s time to step it up. It’s time to step it up and gain visibility into your software supply chain ( Cyber Kill Zone Tenet #1). SSC Defense: Incorporate security tooling into your CLI. When you are pulling packages, validate your packages being pulled are coming from legitimate upstream sources. S/O to my good friends over at Phylum which provides a fine tool to help protect your source code via blocking malicious packages from being downloaded onto your machine: https://docs.phylum.io/ 2. The Details Matter: The only difference between the legitimate website versus the poisoned domain was Python hosted versus PyPi hosted. Here is a screenshot from the CheckMarx blog, which you can find here .

Understanding SBOMs and Your Software Attack Surface

20 Mar, 2024
Over the course of my career, I've seen a lot of cool technology, but I think most of us know in the cybersecurity community that the weakest link is typically the human.

How SBOMs Help You Maneuver in the Cyber Kill Zone

By Hayden Smith 16 Jan, 2024
Prepare yourself/team/organization for a pre zero day, zero day, software supply chain attack. Knowing the software in your organization is a necessity for tracing threats in your software supply chain. See a break down of some of the OSS tooling available to help you make sense of the ever growing software supply chain attack surface.

CYBER KILL ZONE

By Hayden Smith 03 Jan, 2024
In this blog we discuss defining the Cyber Kill Zone, how it differs to be more proactive than the Cyber Kill Chain, and how to identify if you are in a Cyber Kill Zone today.
Share by: