Software Supply Chain Security: Understanding and Mitigating Package Ecosystem Attacks

Explore real-world incidents of software supply chain attacks in this 29-minute conference talk from ISTA, delivered by Payhawk Senior Software Engineer Todor Todorov. Gain critical insights into the security vulnerabilities within software package ecosystems like npm and NuGet, examining various attack vectors including dependency confusion, typosquatting, and malicious package insertion. Learn through detailed case studies how attackers create and distribute seemingly harmless packages containing malicious payloads, manipulate pull requests to popular repositories, and exploit these vulnerabilities to harvest sensitive data. Master essential mitigation strategies and best practices for protecting projects, including effective dependency management, implementation of private package repositories, and developer education on risk assessment and attack detection. Drawing from over 15 years of software engineering experience and expertise in clean code, cyber security, and DevOps, discover practical approaches to safeguarding projects and maintaining software supply chain integrity in today's interconnected digital landscape.