Supply-chain security and vulnerable or exploited dependencies are becoming an increasingly important issue in trustworthy software.
TLS Inspector already takes several steps to shield itself from these kinds of threats, let's go through them in this post.
First, and most importantly, we leverage hardware-based secrets as much as we can.
The distribution codesigning certificate for the app is hardware backed on a YubiKey. The Apple ID for managing the app uses a separate YubiKey for phishing resistant MFA.
When combined, these two measures make it very difficult for an attacker to publish a version of the app that has been tampered with.
Second is dependencies. TLS Inspector takes on two 3rd-party dependencies, OpenSSL and Curl.
These dependencies are built with reproducible builds and are pinned to specific git commits, which helps to reduce the risk of malicious code trickling down to the app.
We also closely monitor the security posture of dependencies, and update as needed on a per-vulnerability basis.
Third, we aim to be careful and conservative in our use of GitHub Actions. GHA is a common infection vector for malware in open source projects, and we carefully build and review workflows to reduce risk. In some situations we may elect to not use GHA if we feel it introduces too much risk.
We've seen that these kinds of threats are accelerating at an alarming pace. Popular pieces of software are being unknowingly used to distribute malware through compromised dependencies or automation.
Unfortunately there's no quick or easy fix to this issue, but every layer of protection makes it more and more difficult, and that matters to us, and we hope it matters to you all as well.
