Explore a comprehensive conference talk on supply chain attacks, focusing specifically on NPM (Node Package Manager) vulnerabilities. Delve into the intricacies of software supply chain security, examining real-world examples and their implications. Learn about maintainer email address takeovers and their significance in recent attacks. Gain insights into attacker perspectives and defensive strategies for projects and companies. Discover research findings on worldwide NPM package vulnerabilities, including domain-related issues and their potential impact. Investigate similar concerns in Ruby Gems and explore tools for detecting dependency confusion. Conclude with proposed solutions and a Q&A session to enhance your understanding of this critical aspect of DevSecOps.
Supply Chain Attacks: Focusing on NPM Vulnerabilities - DevSecOps 2023
Overview
Syllabus
intro
preamble
about danish
disclaimer
supply chain
software supply chain
supply chain attacks
examples
npm node package manager
maintainer email address takeover
significance of maintainer email - recently
process - attacker's perspective
defensive strategy for projects or companies
research - wordl-wide-how
hassan intro
research - npm packages domains
impact!!!
gap that could be filled
ruby gems research approach
vulnerable ruby gem
hardest part!
some fun stuff!
another tool: script to detect dependency confusion
gemscanner
solutions
any questions?
thank you!
Taught by
Conf42
