Software supply chain attacks are not a new attack vector - but one that we've seen increasing use of as many prominent organizations have created sophisticated security practices internally. When this happens, attackers look for other weaknesses - and more often than not, those weak points are often in the supply chains those organizations use.
On this page, I want to collect articles and details about recent and novel supply chain style attacks, all of which help inform a talk on supply chain security that I'm constantly revising.
The supply chain is much broader than many give it credit for. When I say "software supply chain," what's the first thing that comes to mind? Often that would the direct dependencies of the code itself - open source dependencies brought into the code. And while open-source dependencies are an essential part of the software supply chain, they are far from the only point to consider when thinking about supply chain security.
Other parts of your supply chain include the code you write, any 3rd party libraries you're using (not just the open sources ones), the dependencies you inherit by proxy (the dependencies of your dependencies), your DevOps tools and processers. Any tools and plugins those tools use, any vendor code, and any dependencies that those vendors have.
Below are some supply chain attacks I've done some amount of research on in the past. You can also find a complete open list of supply chain attacks and breaches on the CNCF TAG Security repo.
Attacking the DevOps environment - in this case the CI/CD systems which are very poorly secured - allows attackers to inject and sign malicious software.
Ding ding ding. The CI/CD box is always:
โ Corey Quinn (@QuinnyPig) January 6, 2021
* Manually configured
* Able to touch production
* Accessed by a whole mess of people
* Scary to patch
More on this after the insurrection. https://t.co/YRjPx1WMqH
Hacking Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber with open source dependancy man-in-the-middle style attacks.
Inserting backdoors into 78% of the internet by attacking the source code management system.