Conference:  Black Hat Asia 2023

Authors: Yakir Kadkoda, Ilay Goldman

2023-05-12

Our talk divides the cloud development flow into 5 phases: IDE, SCM, package managers, CI/CD and Artifacts. We will demonstrate how supply chain attacks can affect organizations at each phase. This includes the risks of cloud, platforms, and application development, as well as the attacker's perspective on how to exploit these areas.We will unveil vulnerabilities and flaws in popular platforms corresponding to each one of the areas. We will also talk about the eco-system and how developers are working with these platforms. Finally, we will show our original research including vulnerabilities and flaws in various platforms and talk about each finding and its implications and mitigations.

Conference:  OWASP 20th Anniversary Event

Authors: Vandana Verma, Steve Coochin

2021-09-25

The presentation discusses the importance of secure development environments in the face of supply chain security incidents and vulnerabilities in open source code and containers.

• Open source code makes up a significant portion of an organization's codebase, and new packages are constantly being developed, leading to vulnerabilities and breaches.
• Containerization is important for keeping code and infrastructure clean, but vulnerabilities can still surface in containers.
• Developers' integrated development environments, such as Visual Studio Code, are also vulnerable to attacks.
• Secure development environments are crucial for protecting end users and require a shift left approach to security.
• The presentation includes a demonstration of a vulnerability in the Instant Markdown plugin for Visual Studio Code.