i'm in ur scm, bein a ninja

Presented at BSidesDC 2014, Oct. 18, 2014, 11:30 a.m. (50 minutes).

In recent years secure development practices and supply chain integrity have gotten more attention. But the integrity of the source code repository, which should be central to both conversations, has been neglected. There have been tons of known breaches in which attackers gained access to source code. Who says the code was only _read_? Attackers with a foothold inside an enterprise can do fantastic damage to that organization, or to their downstream customers. In this talk I'll go through several attack scenarios, and tie them to the many, many source code compromises we know about. I'll go through some mitigation steps/strategies - or the lack thereof.

Presenters:

  • Hank Leininger - Co-Founder at KoreLogic
    Hank Leininger has been breaking stuff and building stuff for a while. While playing defense, he wrote the HAP-Linux kernel hardening patches in the late '90's, which have been a part of GRSecurity since the 2.4 kernel series. In 2004 Mr Leininger co-founded KoreLogic, Inc, an expert security consulting practice. He does not have any interesting letters after his name.

Links: