It seemed like we were all learning about a new type of application security attack not that long ago. What does software supply chain risk mean? What are the different types of attacks - dependency confusion, brandjacking, typosquatting, package tampering - that we need to be concerned with, and how can I detect them and protect against them? The new reality is that supply chain attacks from various vectors - open source code, proprietary code, and data harnessed from CI/CD pipelines are in the mainstream news on a regular basis, so much so that governmental regulations are starting to appear.
With new frameworks like Google’s SLSA, the new Executive Order from the US government, and a host of vendor solutions. Where do you start in understanding and addressing your organization’s supply chain risk?
The session presents innovative approaches and tools designed to thwart supply chain threats early in the development lifecycle - before they can be exploited for attacks.
Session takeaways:
- Supply Chain isn’t just about open source
- Traditional methods have been largely reactive, aiming to facilitate post-attack investigation and alleviate damage if possible
- Novel supply chain risk tools offer a proactive approach to combat risk and are easily integrated within the development lifecycle
