You secured your code dependencies, is that enough?

A presentation at Owasp London in in London, UK by Anant Shrivastava

You secured your code dependencies, is that enough?

You secured your code dependencies, is that enough?

Anant Shrivastava

Anant Shrivastava

Question : Have you heard about

Question : Have you heard about

Why?

Why?

Supply Chain issues are age old trust issues

Supply Chain issues are age old trust issues

…and it’s not going anywhere anytime soon…

…and it’s not going anywhere anytime soon…

Effect across the globe in Govt Japan US EU India UK

Effect across the globe in Govt Japan US EU India UK

Why now?

Why now?

Work done by Dependabot in last ~5 months

Work done by Dependabot in last ~5 months

What is Software Bill of Material

What is Software Bill of Material

SCA Source Composition Analysis Tools

SCA Source Composition Analysis Tools

Question : Raise your hands if

Question : Raise your hands if

Software Supply Chains beyond Code chain

Software Supply Chains beyond Code chain

What other chains?

What other chains?

A set of chain that existed 5 months back

A set of chain that existed 5 months back

A Chain that exists now (besides previous)

A Chain that exists now (besides previous)

Simplified Supply Chain view

Simplified Supply Chain view

Why do they matter

Why do they matter

Developer Machine : Why lucrative

Developer Machine : Why lucrative

Show me data don’t just imagine

Show me data don’t just imagine

Case studies: WYS Is not WYG

Case studies: WYS Is not WYG

Chrome Browser

Chrome Browser

What can a browser extension do

What can a browser extension do

Cookie Monster

Cookie Monster

Visual Studio Code

Visual Studio Code

Visual Studio Marketplaces

Visual Studio Marketplaces

Homebrew

Homebrew

Unexpected places for code execution

Unexpected places for code execution

Unexpected places or code execution

Unexpected places or code execution

Notepad++

Notepad++

Notepad ++ Impersonation

Notepad ++ Impersonation

Cursor oh Cursor

Cursor oh Cursor

Rulefiles

Rulefiles

C.I. / C.D. Systems

C.I. / C.D. Systems

DEFENDING CI CD

DEFENDING CI CD

Teamcity exploitation

Teamcity exploitation

Container Images

Container Images

Dependency Caching Servers

Dependency Caching Servers

Bait and Switch

Bait and Switch

Rogue Maintainers

Rogue Maintainers

So, what's the plan?

So, what's the plan?

Next Steps

Next Steps

Chrome Extension Auditing

Chrome Extension Auditing

End Point Visibility

End Point Visibility

GitHub and Github Actions

GitHub and Github Actions

GitHub and Github Actions

GitHub and Github Actions

Consumer : Vetting Process needed (Vet)

Consumer : Vetting Process needed (Vet)

Consumer : Vetting Process Needed (Overlay)

Consumer : Vetting Process Needed (Overlay)

Cloud Auditing

Cloud Auditing

Broad Visualization of Software Supply Chain

Broad Visualization of Software Supply Chain

Supply-chain Levels for Software Artifacts

Supply-chain Levels for Software Artifacts

OWASP SCVS ~ SSDF

OWASP SCVS ~ SSDF

Open Software Supply Chain Attack Reference

Open Software Supply Chain Attack Reference

Can of worms that I have not touched

Can of worms that I have not touched

Thanks for listening & open to Questions?

Thanks for listening & open to Questions?

Supply Chain security is a new buzzword for past 2-3 years, the dust is slowly settling and we are now in the phase we people need to evaluate what is going right and what is going wrong.Large number of organizations, introduced SCA tooling and SBoM creation tooling and called it the day. Has that helped? What has been going on in the world of supply chain security.In this talk we will explore the Supply chain security not just from a code base dependency prospective but rather wholistic approach to establishing the right controls in the system for a seamless software delivery.Software supply chain security concerns not just the product organizations creating software of external or internal usage but also for organizations that may be just using the final product as an end user.From your development environment to production, from downloading binaries from internet to running them on network machines we will explore the 360 degree view of supply chain security, the relevant case studies around the exploitation and what is it that industry or Govt bodies have done towards protecting people or organizations against such attacks.Audience will leave with a holistic view of how the full supply chain of the software development looks like and thoughts on what are the possible gaps in security they might have in their organizations.

Video

Buzz and feedback

Here’s what was said about this presentation on social media.