3 areas of implicitly trusted infrastructure that can lead to supply chain compromises

2021-05-13 05:30

Each one of these supply chain attacks targeted a different piece of implicitly trusted infrastructure-infrastructure that you may or not be paying attention to as a potential target in your organization.

Package squatting via software package repositories.

The best way to assure that we are receiving the right package from the right people is a cryptographically signed package, verified by the public key of the package maintainer.

Without package signing, the next best way to attack these packaging problems is in the local environment.

Signing commits works much like with author-signed packages from package repositories but brings that authentication to the individual code change level.

Compromises of TLS certificates are nothing new and present a large problem, possibly one of the largest in the cryptography supply chain.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/_yoP_Jl1d8s/

#compromise #infrastructure #supplychain