SlideShare a Scribd company logo

Software Supply Chain Security in CI/CD Environment

OWASP Hacker Thursday
OWASP Hacker Thursday

The document summarizes major software supply chain attacks that occurred between 2020 and 2022. It notes attacks targeting SolarWinds Orion, GitHub repositories, npm packages, Log4j, Kaseya software, Sushiswap, Codecov, and more. Reasons for the rise in attacks are listed as a 650% increase in open source software attacks year-over-year and growing use of containers and open source components. Challenges in addressing these issues are also briefly discussed.

Software
1 of 21
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 2 2020 2022 SolarWinds Orion affected 18,000 customers globally Unimax U686CL phones were given to low income Americans that had Adups malware from China for data gathering GitHub repositories was exploited by a group Octopus Scanner to actively serve malware and trojans 400 plus malicious npm packages were targeted for Amazon’s SDK, Facebook Jest, Uber, AirBnB, Azure, etc. 2021 Novel dependency confusion was used to breach 35 major tech companies including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber Twilio’s TaskRouter JS SDK was exploited by Magecart to inject insert malicious software for over 8 hours hundreds of Customers were impacted Log4J affected 35,000 plus Java (Maven) packages, where 800,000 attacks were detected within 72 hours of identification Kaseya a ransomware group exploited a vulnerability in the MSP software management platform that impacted 1500 plus victims Sushiswap MISO cryptocurrency platform’s one GitHub repository was exploited in the software supply chain attack to steal $3M Mimecast-issued certificates were exploited to take over Microsoft Exchange Server connection that impacted thoughts of customers Codecov’s bash uploader script was exploited by attackers it impacted hundreds of customers including vendors such as Twilio, Freshworks and HashiCorp Apple’s Xcode free application for iOS Developers is targeted by XCodeSpy for installing backdoors ClickStudios PasswordState a password manager was exploited to steal passwords of 30,000 customers SYNNEX a technology distributor was attacked by APT29 (Cozy Bear) which resulted in the compromise of its clients such as the Republican National Party Malware in the 500 npm and 130 PyPi packages affected several big tech including VMware and can be exploited to steals AWS Keys, Windows, and macOS credentials
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 3 2020 2022 SolarWinds Orion affected 18,000 customers globally Unimax U686CL phones were given to low income Americans that had Adups malware from China for data gathering GitHub repositories was exploited by a group Octopus Scanner to actively serve malware and trojans 400 plus malicious npm packages were targeted for Amazon’s SDK, Facebook Jest, Uber, AirBnB, Azure, etc. 2021 Novel dependency confusion was used to breach 35 major tech companies including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber Twilio’s TaskRouter JS SDK was exploited by Magecart to inject insert malicious software for over 8 hours hundreds of Customers were impacted Log4J affected 35,000 plus Java (Maven) packages, where 800,000 attacks were detected within 72 hours of identification Kaseya a ransomware group exploited a vulnerability in the MSP software management platform that impacted 1500 plus victims Sushiswap MISO cryptocurrency platform’s one GitHub repository was exploited in the software supply chain attack to steal $3M Mimecast-issued certificates were exploited to take over Microsoft Exchange Server connection that impacted thoughts of customers Codecov’s bash uploader script was exploited by attackers it impacted hundreds of customers including vendors such as Twilio, Freshworks and HashiCorp Apple’s Xcode free application for iOS Developers is targeted by XCodeSpy for installing backdoors ClickStudios PasswordState a password manager was exploited to steal passwords of 30,000 customers SYNNEX a technology distributor was attacked by APT29 (Cozy Bear) which resulted in the compromise of its clients such as the Republican National Party Malware in the 500 npm and 130 PyPi packages affected several big tech including VMware and can be exploited to steals AWS Keys, Windows, and macOS credentials
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 4 ✓98% have Open-Source Software (OSS) in their code base ✓85% contained open source that is more than 4 years old ✓88% had components with no new developments in 2 years ✓94% of OSS projects have fewer than 10 developers accounting for 90% of lines of code ✓88% plan to increase container use and 31% plan to increase it significantly Why ✓650% increase in Year-on-Year attacks on the OSS ✓61% rank supply chain security as their top container security initiative for 2022 ✓45% of containers are open source ✓33% are directly impacted by Executive Order 14028 ✓AllIoT/OT vendors are impacted by H.R.1668, California SB-327, Oregon HB 2395 (2019), and European Cyber Security Act Why Now ✓88% plan to use Software Bill of Material (SBOM) in 2023 ✓72% of organizations have more than one CI/ CD system and a median of 6 different tools in their DevOps toolchain ✓ Median 5 different container platforms are used by the organization How
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 5 ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 6 Methods Challenges
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 7
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 8 Source: https://slsa.dev/
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 9 P P P P P P P Source: https://slsa.dev/spec/v0.1/requirements
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 10 P P P P P P P P P P P P P P P Source: https://slsa.dev/spec/v0.1/requirements
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 11 P P P P P P P P P P P P P Source: https://slsa.dev/spec/v0.1/requirements
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 12 P P P Source: https://slsa.dev/spec/v0.1/requirements
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 13 ▪ ▪ ▪ ▪ ▪ ▪
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 14 ▪ ▪
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 15 • - The above table includes only a small representative listing of open source and commercial tools
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 16
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 17 ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ✓ ✓ ✓ ✓ ✓
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 18 Solutions / Services ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the independent network of GTIL member firms provide services to their clients, as the context requires. GTIL and each of its member firms are not a worldwide partnership and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd jitendra.joshi@us.gt.com
“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the independent network of GTIL member firms provide services to their clients, as the context requires. GTIL and each of its member firms are not a worldwide partnership and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd

Recommended

Microapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityMicroapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise Mobility
Nischal Reddy
 
The 1% Who Can Take Down your Organization
The 1% Who Can Take Down your OrganizationThe 1% Who Can Take Down your Organization
The 1% Who Can Take Down your Organization
CloudLock
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Software Change estimation
Software Change estimationSoftware Change estimation
Software Change estimation
Brenda Barrioz, CPDS
 
Scrum and Compliance (2013)
Scrum and Compliance (2013)Scrum and Compliance (2013)
Scrum and Compliance (2013)
Laszlo Szalvay
 
The Lima Consulting Group Digital Transformation Maturity Model Presented at ...
The Lima Consulting Group Digital Transformation Maturity Model Presented at ...The Lima Consulting Group Digital Transformation Maturity Model Presented at ...
The Lima Consulting Group Digital Transformation Maturity Model Presented at ...
Lima Consulting Group
 
Open Source
Open Source Open Source
Open Source
Liron Zighelnic
 
The LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity ModelThe LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity Model
Lima Consulting Group
 

Recommended

Microapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityMicroapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise Mobility
Nischal Reddy
 
The 1% Who Can Take Down your Organization
The 1% Who Can Take Down your OrganizationThe 1% Who Can Take Down your Organization
The 1% Who Can Take Down your Organization
CloudLock
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Software Change estimation
Software Change estimationSoftware Change estimation
Software Change estimation
Brenda Barrioz, CPDS
 
Scrum and Compliance (2013)
Scrum and Compliance (2013)Scrum and Compliance (2013)
Scrum and Compliance (2013)
Laszlo Szalvay
 
The Lima Consulting Group Digital Transformation Maturity Model Presented at ...
The Lima Consulting Group Digital Transformation Maturity Model Presented at ...The Lima Consulting Group Digital Transformation Maturity Model Presented at ...
The Lima Consulting Group Digital Transformation Maturity Model Presented at ...
Lima Consulting Group
 
Open Source
Open Source Open Source
Open Source
Liron Zighelnic
 
The LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity ModelThe LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity Model
Lima Consulting Group
 
7 Things Your Nonprofit Can Do to Get the Most out of Your Website in 2020
7 Things Your Nonprofit Can Do to Get the Most out of Your Website in 20207 Things Your Nonprofit Can Do to Get the Most out of Your Website in 2020
7 Things Your Nonprofit Can Do to Get the Most out of Your Website in 2020
TechSoup
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat Security Conference
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue Technique
Daniel Weiss
 
The 2018 Threat Landscape
The 2018 Threat LandscapeThe 2018 Threat Landscape
The 2018 Threat Landscape
ColloqueRISQ
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
Assignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdfAssignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdf
dollumehta1
 
BNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfBNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdf
Theresa Mammarella
 
DevOps Market.pdf
DevOps Market.pdfDevOps Market.pdf
DevOps Market.pdf
sagarsingh443888
 
DevOps is the Key to Differentiation
DevOps is the Key to DifferentiationDevOps is the Key to Differentiation
DevOps is the Key to Differentiation
DevOps.com
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Executive Leaders Network
 
About smartData
About smartDataAbout smartData
About smartData
Aditti Rana
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
Miguel Hernández y López
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software Engineer
Craig Saunders
 
SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...
SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...
SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...
South Tyrol Free Software Conference
 
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
Amazon Web Services
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
AmarnathKambale
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 

More Related Content

Similar to Software Supply Chain Security in CI/CD Environment

BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat Security Conference
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
DevOps Market.pdf
DevOps Market.pdfDevOps Market.pdf
DevOps Market.pdf
sagarsingh443888
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...
SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...
SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...
South Tyrol Free Software Conference
 

Similar to Software Supply Chain Security in CI/CD Environment (20)

7 Things Your Nonprofit Can Do to Get the Most out of Your Website in 2020
7 Things Your Nonprofit Can Do to Get the Most out of Your Website in 20207 Things Your Nonprofit Can Do to Get the Most out of Your Website in 2020
7 Things Your Nonprofit Can Do to Get the Most out of Your Website in 2020
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue Technique
 
The 2018 Threat Landscape
The 2018 Threat LandscapeThe 2018 Threat Landscape
The 2018 Threat Landscape
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Assignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdfAssignment_7__ERM__Netflix.pptx.pdf
Assignment_7__ERM__Netflix.pptx.pdf
 
BNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfBNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdf
 
DevOps Market.pdf
DevOps Market.pdfDevOps Market.pdf
DevOps Market.pdf
 
DevOps is the Key to Differentiation
DevOps is the Key to DifferentiationDevOps is the Key to Differentiation
DevOps is the Key to Differentiation
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
 
About smartData
About smartDataAbout smartData
About smartData
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software Engineer
 
SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...
SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...
SFScon 2020 - Cedric Thomas - Open Source ecosystem sustainability bring the ...
 
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
 

Recently uploaded

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 

Recently uploaded (20)

VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 

Software Supply Chain Security in CI/CD Environment

  • 1.
  • 2. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 2 2020 2022 SolarWinds Orion affected 18,000 customers globally Unimax U686CL phones were given to low income Americans that had Adups malware from China for data gathering GitHub repositories was exploited by a group Octopus Scanner to actively serve malware and trojans 400 plus malicious npm packages were targeted for Amazon’s SDK, Facebook Jest, Uber, AirBnB, Azure, etc. 2021 Novel dependency confusion was used to breach 35 major tech companies including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber Twilio’s TaskRouter JS SDK was exploited by Magecart to inject insert malicious software for over 8 hours hundreds of Customers were impacted Log4J affected 35,000 plus Java (Maven) packages, where 800,000 attacks were detected within 72 hours of identification Kaseya a ransomware group exploited a vulnerability in the MSP software management platform that impacted 1500 plus victims Sushiswap MISO cryptocurrency platform’s one GitHub repository was exploited in the software supply chain attack to steal $3M Mimecast-issued certificates were exploited to take over Microsoft Exchange Server connection that impacted thoughts of customers Codecov’s bash uploader script was exploited by attackers it impacted hundreds of customers including vendors such as Twilio, Freshworks and HashiCorp Apple’s Xcode free application for iOS Developers is targeted by XCodeSpy for installing backdoors ClickStudios PasswordState a password manager was exploited to steal passwords of 30,000 customers SYNNEX a technology distributor was attacked by APT29 (Cozy Bear) which resulted in the compromise of its clients such as the Republican National Party Malware in the 500 npm and 130 PyPi packages affected several big tech including VMware and can be exploited to steals AWS Keys, Windows, and macOS credentials
  • 3. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 3 2020 2022 SolarWinds Orion affected 18,000 customers globally Unimax U686CL phones were given to low income Americans that had Adups malware from China for data gathering GitHub repositories was exploited by a group Octopus Scanner to actively serve malware and trojans 400 plus malicious npm packages were targeted for Amazon’s SDK, Facebook Jest, Uber, AirBnB, Azure, etc. 2021 Novel dependency confusion was used to breach 35 major tech companies including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber Twilio’s TaskRouter JS SDK was exploited by Magecart to inject insert malicious software for over 8 hours hundreds of Customers were impacted Log4J affected 35,000 plus Java (Maven) packages, where 800,000 attacks were detected within 72 hours of identification Kaseya a ransomware group exploited a vulnerability in the MSP software management platform that impacted 1500 plus victims Sushiswap MISO cryptocurrency platform’s one GitHub repository was exploited in the software supply chain attack to steal $3M Mimecast-issued certificates were exploited to take over Microsoft Exchange Server connection that impacted thoughts of customers Codecov’s bash uploader script was exploited by attackers it impacted hundreds of customers including vendors such as Twilio, Freshworks and HashiCorp Apple’s Xcode free application for iOS Developers is targeted by XCodeSpy for installing backdoors ClickStudios PasswordState a password manager was exploited to steal passwords of 30,000 customers SYNNEX a technology distributor was attacked by APT29 (Cozy Bear) which resulted in the compromise of its clients such as the Republican National Party Malware in the 500 npm and 130 PyPi packages affected several big tech including VMware and can be exploited to steals AWS Keys, Windows, and macOS credentials
  • 4. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 4 ✓98% have Open-Source Software (OSS) in their code base ✓85% contained open source that is more than 4 years old ✓88% had components with no new developments in 2 years ✓94% of OSS projects have fewer than 10 developers accounting for 90% of lines of code ✓88% plan to increase container use and 31% plan to increase it significantly Why ✓650% increase in Year-on-Year attacks on the OSS ✓61% rank supply chain security as their top container security initiative for 2022 ✓45% of containers are open source ✓33% are directly impacted by Executive Order 14028 ✓AllIoT/OT vendors are impacted by H.R.1668, California SB-327, Oregon HB 2395 (2019), and European Cyber Security Act Why Now ✓88% plan to use Software Bill of Material (SBOM) in 2023 ✓72% of organizations have more than one CI/ CD system and a median of 6 different tools in their DevOps toolchain ✓ Median 5 different container platforms are used by the organization How
  • 5. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 5 ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
  • 6. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 6 Methods Challenges
  • 7. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 7
  • 8. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 8 Source: https://slsa.dev/
  • 9. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 9 P P P P P P P Source: https://slsa.dev/spec/v0.1/requirements
  • 10. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 10 P P P P P P P P P P P P P P P Source: https://slsa.dev/spec/v0.1/requirements
  • 11. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 11 P P P P P P P P P P P P P Source: https://slsa.dev/spec/v0.1/requirements
  • 12. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 12 P P P Source: https://slsa.dev/spec/v0.1/requirements
  • 13. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 13 ▪ ▪ ▪ ▪ ▪ ▪
  • 14. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 14 ▪ ▪
  • 15. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 15 • - The above table includes only a small representative listing of open source and commercial tools
  • 16. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 16
  • 17. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 17 ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ✓ ✓ ✓ ✓ ✓
  • 18. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 18 Solutions / Services ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
  • 19.
  • 20. “Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the independent network of GTIL member firms provide services to their clients, as the context requires. GTIL and each of its member firms are not a worldwide partnership and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd jitendra.joshi@us.gt.com
  • 21. “Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the independent network of GTIL member firms provide services to their clients, as the context requires. GTIL and each of its member firms are not a worldwide partnership and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd