Learn essential strategies for protecting against supply chain attacks in this BSidesCharm conference talk. Explore the complexities of hardware, firmware, and software supply chains while discovering practical approaches to minimize trust and verify component integrity. Dive into open-source and free tools for device enumeration and validation, with real-world examples including the MSI breach and Black Lotus attacks. Master defensive techniques like Trusted Platform Module implementation, LVFS FWUPD usage, and secure boot configuration. Gain insights into vulnerability management, third-party software considerations, and in-house development security from security expert Paul Asadoorian, Principal Security Evangelist at Eclypsium and host of Paul's Security Weekly podcast. Examine Linux-specific examples and understand how to implement robust supply chain security measures across your technology stack.
Overview
Syllabus
Introduction
Caffeine
Questioning the Supply Chain
Measuring Caffeine in Coffee
How to Minimize Supply Chain Risks
Linux
Digital Supply Chain
Trust
Real World Attacks
Trusted Platform Module
Defending the Supply Chain
LVFS FWUPD
Inksy
MSI Breach
Black Lotus
FWUPD
Secure Boot
ThirdParty Software
Linux Example
Software Developed Inhouse
Vulnerability Management
Google Java in Python
Conclusion
Questions
Taught by
BSidesCharm
Related Courses
-
Securing Shopify's Software Supply Chain - Mitigating Supply Chain Attacks
-
The Enemy Within - Modern Supply Chain Attacks
-
Software Supply Chain Attacks - Understanding Risks and Prevention
-
In-Toto: Protecting Software Supply Chain in Cloud Native and Confidential Containers
-
Supply Chain Attacks: The New Reality
-
Automating Trust in the Supply Chain
