How to Secure the Software Supply Chain

Presented at May Contain Hackers (MCH2022), July 23, 2022, 9:40 p.m. (50 minutes).

Open source code makes up 90% of most codebases. How do you know if you can trust your open source dependencies? Do you know what’s really going on in your node_modules folder? It is critical to manage your dependencies effectively to reduce risk but most teams have an ad-hoc process where any developer can introduce dependencies. Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022. We’ll dive into examples of recent supply chain attacks targeting the JavaScript, Node.js, and npm ecosystems, as well as concrete steps you can take to protect your apps, projects, and teams from this emerging threat. Open source code makes up 90% of most codebases. How do you know if you can trust your open source dependencies? Do you know what’s really going on in your node_modules folder? It is critical to manage your dependencies effectively to reduce risk but most teams have an ad-hoc process where any developer can introduce dependencies. Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022. We’ll dive into examples of recent supply chain attacks targeting the Node.js, JavaScript, and npm ecosystems, as well as concrete steps you can take to protect your apps, projects, and teams from this emerging threat. Takeaways for this talk: 1. Understand the scope of the supply chain threats against the open source ecosystem, specifically with a focus on JavaScript, Node.js, and npm. 2. Review of our work to audit every open source package on npm to detect the following types of attacks: malware, typo-squats, hidden code, misleading packages, permission creep 3. Specific examples and code walk-throughs of actual malware that was found on npm 4. Discussion of existing methods and tools for detecting supply chain attacks against open source, including limitations 5. Introduction of new open source tool which helps detect supply chain attacks in real-time

Presenters:

  • Feross Aboukhadijeh
    Feross is the author and maintainer of WebTorrent, StandardJS, and 100s of other open source projects. His software is downloaded 500+ million times per month. He was a lecturer at Stanford where he created the course CS 253 Web Security. More recently, Feross is the founder and CEO of Socket, where he's working on a new approach to supply chain security by auditing every package on npm to detect suspicious changes and block supply chain attacks without slowing the development process.

Links:

Similar Presentations: