Navigating the perils of software supply chain attacks

Tuesday
 
26
 
November
2:25 pm
 - 
3:05 pm
Topic
Dev Sec Ops
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Room 209
Theme
Secure by Design

Speakers

Nirav Kamdar
Nirav Kamdar

Nirav Kamdar

Nirav Kamdar

Cybersecurity Solutions Architect Cloud and DevOps APAC
Qualys

Synopsis

Open-Source Software (OSS) are flourishing and are getting used by at least 90% of companies. And if companies don’t use it directly, as per a report around 70% to 90% of a contemporary application "stack" comprises pre-existing OSS. Modern applications are built on webs of open-source code, APIs, and third-party integrations.

A more sophisticated attacks are difficult to detect, so instead of targeting end-user hackers are compromising weak links in existing software supply chains. Software supply chain (SSC) threats include tampering with updates (tainted updates), compromised third-party libraries, vulnerabilities in open-source packages etc.

Software Supply Chain attacks have an average increase of 742% per year. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. We have already seen the impacts of SolarWinds hack, Log4Shell, NotPetya, XZ Utils etc. In terms of dollar value, Software Supply Chain Attacks to Cost the World $60 Billion By 2025.

Building a secure software start at an early stage, this session would highlight on ways to secure the SSC.

  • Secure build environment: Adding security to the build pipeline, focusing not just on OS vulnerabilities but also Software Composition Analysis. Pipelines can also be leveraged to create Virtual Machines images not just containers.
  • Securing the Infrastructure as Code (IaC) is a good way to detect build time cloud misconfigurations.
  • Registry hygiene and detection of Secrets, Malware in Container images with Software Composition Analysis.
  • Runtime Security for Kubernetes and Containers should always be prioritized.

There are number of process and supplier expectation changes which can be enforced, as well.

Open Software Supply Chain Attack Reference (OSC&R) is a MITRE-like framework with comprehensive, systematic, and actionable way to understand attacker behaviors and techniques with respect to the software supply chain. This helps understanding and analyzing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

Finally, always associate enterprise risk across everything including SSC to prioritize the fixes. 

Back to Program

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country