I don't think people are quite grasping the issue with software supply chain attacks.
-
I don't think people are quite grasping the issue with software supply chain attacks. It's not just a case of compromised built software, it's also the build time. One popular package being compromised means every other package that depends on it is also now potential compromised or soon to be. And the targets can often move across other repos in the same org or account
Basically a slow moving worm today is rapidly accelerating to collapse. Kessler syndrome of software packages.
-
I don't think people are quite grasping the issue with software supply chain attacks. It's not just a case of compromised built software, it's also the build time. One popular package being compromised means every other package that depends on it is also now potential compromised or soon to be. And the targets can often move across other repos in the same org or account
Basically a slow moving worm today is rapidly accelerating to collapse. Kessler syndrome of software packages.
Even if you ci/cd is version pinned/locked to not get owned, did any of your developers pull down the new version while trying to fix an unrelated dependency issue?
What about third party software that vendors in packages?
-
Even if you ci/cd is version pinned/locked to not get owned, did any of your developers pull down the new version while trying to fix an unrelated dependency issue?
What about third party software that vendors in packages?
(btw, most vulnerability scanning software isn't magic, it requires lock files, dpkg files or other data to work out what's installed. If you are using cut down builds, distroless and what not, most of these tools will not work and you cannot truly rely on them)
-
I don't think people are quite grasping the issue with software supply chain attacks. It's not just a case of compromised built software, it's also the build time. One popular package being compromised means every other package that depends on it is also now potential compromised or soon to be. And the targets can often move across other repos in the same org or account
Basically a slow moving worm today is rapidly accelerating to collapse. Kessler syndrome of software packages.
-
pros: vendor responsibility
cons: vendor responsibility -
M mttaggart@infosec.exchange shared this topic
