SBOMs for Evil: Turning Un-Remediated Software Supply Chain Documentation into an Attack Path

Presented at CactusCon 12 (2024), Feb. 17, 2024, 2:30 p.m. (60 minutes).

Software security is more critical than ever before. SBOMs (Software Bill of Materials) provide a comprehensive inventory of all components used in a software package, including their versions and dependencies. Join us to learn how SBOMs can enhance penetration testing, by taking "SBOMs for Good," and making them "SBOMs for Evil." See how SBOMs can improve offline analysis and attack path discovery through CVE-linked components and the identification of potential attack vectors that traditional scanning and enumeration techniques have difficulty finding. Not only do SBOMS help our adversaries, they can also be used to inform defense! Armed with this data you can make informed decisions about where to focus your efforts; optimizing detection methods for specific vulnerabilities, make more educated decisions about fine grained network segmentation, and even be more observant about indicators of compromise. We'll cover SBOM basics, formats (CycloneDX, SPDX), and real-world use cases, such as compromising IoT/ICS/OT devices or software applications through analysis of SBOM CVE-linked components. Whether you're a technical cyber security professional, penetration tester, hacker, nation-state adversary, or on the blue team looking to inform your defenses, join us to learn how to incorporate SBOMs into your testing toolbox.

Presenters:

  • Larry Pesce - Product Security Research and Analysis Director, Finite State
    Larry is the Product Security Research and Analysis Director at Finite State, focused on XoT security issues. He also co-hosts the international award winning podcast, Paul's Security Weekly, and likes to tinker with all things electronic and wireless, much to the disappointment of his family, friends, warranties, and his second Leatherman Multi-tool. A self-professed lifelong "tinkerer and explorer", Larry always wanted to know how things work. "My dad built the family television from a kit, and I helped. It caught fire. Twice. I helped fix it both times." Larry is a Principal SANS Instructor, and appropriately, co-author of SEC617: Wireless Penetration Testing and Ethical Hacking, and SEC556: IoT Penetration Testing. In his spare time, Larry enjoys being a ham radio operator, spending time with his family, and getting outdoors. He loves working with his hands, whether in his vegetable garden, building electronics, or wood working and blacksmithing in the pursuit of knife making.

Links:

Similar Presentations: