Broken Links: Emergence and Future of Software-Supply Chain Compromises

Conference: BlackHat EU 2018

2018-12-06

Summary

The presentation discusses the importance of software supply chain attacks and the need for organizations to focus on basic hygiene factors to prevent attacks. It also highlights the need for organizations to have a complete and accurate record of all software on their computing devices and to challenge enterprise software vendors to attest to their investment in supply chain risk.

Most incidents that cause harm to businesses and organizations are due to poor software hygiene factors such as not keeping software up-to-date, poor configuration management, and poor credential management.
Software supply chain attacks are just another means of initial compromise and the same foundational principles for attack surface reduction, detection, containment, and response still apply.
Organizations should focus on ensuring they have a complete, timely, and accurate record of all software on their computing devices to drive stronger governance over what is deployed and installed on their endpoints.
Enterprise software vendors should be challenged to attest to their investment in supply chain risk.
Startups relying on open source models and data for machine learning-driven startups are at risk of having their datasets poisoned.
Publicly available datasets used to train machine learning models can be corrupted through adversarial attacks.
The future of software supply chain attacks is a concern, and organizations should focus on basic hygiene factors and have a complete and accurate record of all software on their computing devices.

The speaker notes that most organizations are completely blind to the browser extensions that are installed on their computing devices, let alone exercise control over which ones are used. Google is doing good work on extension security in the webstore and will require two-factor authentication for developer accounts starting next year to prevent account takeovers. The speaker also suggests incorporating supply chain attacks into tabletop exercises to assess an organization's security.

Abstract

The last two years have been filled with high-profile enterprise security incidents that shared a common origin: breach of a trusted software provider. In truth, supply chain attacks have played a key role in numerous targeted and opportunistic attacks - many of which flew under the radar - for years. This presentation examines the emergence of software supply chain compromises, the factors incentivizing attackers to adopt this approach, and practical approaches to risk mitigation and defense that enterprises can take in response.

Materials:

Slides

Tags:

Related work

Protecting Ourselves from CNCFgate. Software Supply Chain Security at CNCF - Practices, and Tools - Andres Vega & Emily Fox, CNCF SIG

Conference: KubeCon + CloudNativeCon Europe 2021

Authors: Emily Fox, Andres Vega, Jonathan Meadows