Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Picking Lockfiles - Attacking & Defending Your Supply Chain

Black Hat via YouTube

Overview

Explore the offensive and defensive aspects of supply chain attacks targeting open source software projects in this 31-minute Black Hat conference talk. Learn about a specific attack technique that conceals malicious code within open source contributions, making it difficult to detect during code reviews. Dive into the concept of lockfile tampering, understanding its implications for software integrity. Examine real-world examples, including a GitLab merge request and automated dependency updates. Gain insights into attacker techniques, objectives, and tooling, such as the Bump-Key tool. Discover defensive strategies to protect your supply chain and understand the importance of lockfile integrity. Enhance your knowledge of both the attacker's perspective and defensive measures in this comprehensive exploration of supply chain security in open source development.

Syllabus

Intro
A Quick Story
Why are we talking about supply chains?
Attacking Supply Chains with Lockfiles
Defending Supply Chains
Lockfile example
Lockfile Tampering - Example
Multiple Attributes Occurrences
Integrity Hash Not Mandatory
Attacker Perspective: Compromising Supply Chains using Lockfiles
Attacker Techniques and Objectives
Bump-Key Tooling
Example: GitLab Merge Request
Example: Automated Dependency Update
Closing Words

Taught by

Black Hat

Reviews

Start your review of Picking Lockfiles - Attacking & Defending Your Supply Chain

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.