The presentation discusses the importance of software supply chain attacks and the need for organizations to focus on basic hygiene factors to prevent attacks. It also highlights the need for organizations to have a complete and accurate record of all software on their computing devices and to challenge enterprise software vendors to attest to their investment in supply chain risk.
- Most incidents that cause harm to businesses and organizations are due to poor software hygiene factors such as not keeping software up-to-date, poor configuration management, and poor credential management.
- Software supply chain attacks are just another means of initial compromise and the same foundational principles for attack surface reduction, detection, containment, and response still apply.
- Organizations should focus on ensuring they have a complete, timely, and accurate record of all software on their computing devices to drive stronger governance over what is deployed and installed on their endpoints.
- Enterprise software vendors should be challenged to attest to their investment in supply chain risk.
- Startups relying on open source models and data for machine learning-driven startups are at risk of having their datasets poisoned.
- Publicly available datasets used to train machine learning models can be corrupted through adversarial attacks.
- The future of software supply chain attacks is a concern, and organizations should focus on basic hygiene factors and have a complete and accurate record of all software on their computing devices.
The speaker notes that most organizations are completely blind to the browser extensions that are installed on their computing devices, let alone exercise control over which ones are used. Google is doing good work on extension security in the webstore and will require two-factor authentication for developer accounts starting next year to prevent account takeovers. The speaker also suggests incorporating supply chain attacks into tabletop exercises to assess an organization's security.