Archives

Finding Evil Go Packages

Because of the big SolarWinds hack and the recent blog post describing a new Dependency Confusion attack, there has been a lot of talk lately about supply chain attacks, the sneaky technique of compromising less secure elements in a supply chain to compromise more secure targets.

A popular target for supply chain attacks has always been the many package management systems for popular programming languages such as NPM for JavaScript, Rubygems for Ruby, and PyPI for Python. These systems have been plagued for years by malicious actors uploading malicious packages and waiting for victims to install them.

AQUATONE: Now in Go

I’m continuing my quest to move my open source tools from Ruby to Go. Earlier this year, I released the Go rewrite of Gitrob and now I’m happy to announce the release of a new and streamlined version of Aquatone!

What’s Changed

Quite a lot has changed in the new version. The two major themes of the rewrite is simplification and ease-of-use:

Draw.io for threat modeling

I’ve spent a good amount of time lately trying to find a good tool for threat model diagramming. I defined a couple of requirements and started assessing what was out there:

• Support for Data Flow Diagrams (DFD) and Attack Trees: I believe these are essential for threat modeling. Sequence Diagrams are a plus too.
• Enjoyable and easy to use: It must be easy to create diagrams and no weird bugs to make it clunky or cumbersome to work with. This is important, not only for my own sanity, but also for getting developers to adopt the practice. If you don’t provide them with a good tool, they probably won’t do it.
• Free and cross-platform: It must be free and work on Windows, Mac and Linux. If the tool only works on Windows or you have to juggle licenses, it makes it much harder to introduce threat modeling in an organization.
• Not web or “Cloud” based: It should feel like a proper desktop application and storage should be good old local files. Cloud (a.k.a. someone else’s computer) can be nice, but not for threat modeling. File based storage also makes it easy to check the diagrams into version control and make it live next to the code.

I checked out quite a lot of different tools but none of them fulfilled the requirements. Many didn’t have elements for DFDs and Attack Trees, Microsoft Threat Modeling Tool only runs on Windows, Threat Modeler is web based, Threat Dragon felt awkward to work with, and Dia is old, clunky and buggy.

Gitrob: Now in Go

I’m happy to announce that a new version of Gitrob has been released. This time it’s a complete rewrite from Ruby to the amazing Go programming language!

The old Ruby version of Gitrob got messy and was neglected by me because I got tired of the code. I decided it was time for a rethink and rewrite of the project. As I had been planning to pick up Go as my next programming language I thought it would be interesting to make a lean and mean Go implementation. This turned out to be a pretty amazing decision!