Dan Lorenc, CEO of Chainguard, a software program provide chain safety firm, joins SE Radio editor Robert Blumen to speak about software program provide chain assaults. They begin with a assessment of software program provide chain fundamentals; how outputs grow to be inputs of another person’s provide chain; methods for attacking the availability chain, together with compromising the compilers, injecting code into installers, dependency confusion, and typo squatting. In addition they contemplate Ken Thompson’s paper on injecting a backdoor into the C compiler. The episode then considers some well-known provide chain assaults: researcher Alex Birsan’s dependency confusion assault; the log4shell assault on the Java Digital Machine; the pervasiveness of compilers and interpreters the place you don’t count on them; the SolarWinds assault on a community safety product; and CodeCov compromising the installer with code to insert exfiltration of setting variables into the installer. The dialog ends with some classes discovered, together with how one can defend your provide chain and the problem of dependencies with trendy languages.
SE Radio theme: “Damaged Actuality” by Kevin MacLeod (incompetech.com — Licensed beneath Artistic Commons: By Attribution 3.0)
Podcast: Play in new window | Obtain
Subscribe: Apple Podcasts |
Tags: IEEE Pc Society, podcast, SE-Radio
