Security News > 2021 > August > The destructive power of supply chain attacks and how to secure your code
In this Help Net Security podcast, Tomislav Peri?in, Chief Software Architect at ReversingLabs, explains the latest and most destructive supply chain attacks, their techniques and how to build more secure apps.
The idea behind software supply chain attacks is compromising the trust between the software publisher and the end-user, and essentially using software as a backdoor entry into the environment.
Even though we kind of bundle these two different attacks in the same category called software supply chain attacks, there's a key difference, and I would say that SolarWinds is a software supply chain attack through the actual software, while Kaseya is a software supply chain attack through the solution that Kaseya is actually providing.
The idea is then that the developer will kind of mistype the name of the package and inadvertently install a piece of malicious software, right? So, there's one type, one additional type of supply chain attacks.
Again, all sorts of different compromises within software supply chain attack, build compromise being one of them, and SolarWinds being one of the key examples of how that can have.
The only line of defense, when it comes to defending from software supply chain attacks that actually modify the build environment and inject themselves at that point, is to actually investigate final build package as is and inspect and audit the underlying behaviors.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/4xPg8EMVZZ8/
Related news
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)