Sponsored Session: Software Supply Chain Threat Landscapes: A Moving Target

The presentation discusses the evolving threat landscape in software supply chains and the need for developer-first security tools.

• Organized attackers are exploiting vulnerabilities in open source ecosystems by making their malware appear legitimate.
• Security and development teams need to understand the cascading impacts and changing landscapes of these exploitations.
• The supply chains of open source ecosystems are everywhere in the software development process.
• The attacks are focused on the developers and the development infrastructure itself.
• The development infrastructure can be a significant way into the rest of the organization.
• The presentation emphasizes the need for developer-first security tools to address the evolving threat landscape.

The speaker shares an anecdote about a white hat who released a proof of concept called the dependency confusion attack. This attack exploited the lack of control over where developers were getting their dependencies from. The attacker put a high version number of a project called foo on a public repo, and the build systems would fetch that version from the public repo. The speaker was worried that attackers would take advantage of this vulnerability, and within the first 72 hours, there were 300 copycats looking for bug bounties. Within a week, the number of suspicious things had increased significantly.

There are growing numbers of organized attackers whose sole focus is exploiting vulnerabilities in open source ecosystems, frequently by making their malware appear legitimate. Security and development teams need to understand the cascading impacts and changing landscapes of these exploitations, and put developer-first security tools in the hands of developers everywhere.