More Related Content Similar to Software Supply Chain Security in CI/CD Environment (20) Software Supply Chain Security in CI/CD Environment2. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 2
2020 2022
SolarWinds Orion
affected 18,000
customers globally
Unimax U686CL phones
were given to low income
Americans that had Adups
malware from China for
data gathering
GitHub repositories
was exploited by a
group Octopus
Scanner to actively
serve malware and
trojans
400 plus malicious npm
packages were targeted for
Amazon’s SDK, Facebook
Jest, Uber, AirBnB, Azure,
etc.
2021
Novel dependency
confusion was used to
breach 35 major tech
companies including
Microsoft, Apple, PayPal,
Shopify, Netflix, Yelp, Tesla
and Uber
Twilio’s TaskRouter JS
SDK was exploited by
Magecart to inject insert
malicious software for
over 8 hours hundreds of
Customers were impacted
Log4J affected 35,000
plus Java (Maven)
packages, where
800,000 attacks were
detected within 72 hours
of identification
Kaseya a ransomware
group exploited a
vulnerability in the MSP
software management
platform that impacted
1500 plus victims
Sushiswap MISO
cryptocurrency platform’s
one GitHub repository was
exploited in the software
supply chain attack to steal
$3M
Mimecast-issued
certificates were exploited
to take over Microsoft
Exchange Server
connection that impacted
thoughts of customers
Codecov’s bash
uploader script was
exploited by attackers it
impacted hundreds of
customers including
vendors such as Twilio,
Freshworks and
HashiCorp
Apple’s Xcode free
application for iOS
Developers is targeted
by XCodeSpy for
installing backdoors
ClickStudios
PasswordState a
password manager
was exploited to steal
passwords of 30,000
customers
SYNNEX a technology
distributor was attacked by
APT29 (Cozy Bear) which
resulted in the compromise
of its clients such as the
Republican National Party
Malware in the 500 npm and
130 PyPi packages affected
several big tech including
VMware and can be
exploited to steals AWS
Keys, Windows, and macOS
credentials
3. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 3
2020 2022
SolarWinds Orion
affected 18,000
customers globally
Unimax U686CL phones
were given to low income
Americans that had Adups
malware from China for
data gathering
GitHub repositories
was exploited by a
group Octopus
Scanner to actively
serve malware and
trojans
400 plus malicious npm
packages were targeted for
Amazon’s SDK, Facebook
Jest, Uber, AirBnB, Azure,
etc.
2021
Novel dependency
confusion was used to
breach 35 major tech
companies including
Microsoft, Apple, PayPal,
Shopify, Netflix, Yelp, Tesla
and Uber
Twilio’s TaskRouter JS
SDK was exploited by
Magecart to inject insert
malicious software for
over 8 hours hundreds of
Customers were impacted
Log4J affected 35,000
plus Java (Maven)
packages, where
800,000 attacks were
detected within 72 hours
of identification
Kaseya a ransomware
group exploited a
vulnerability in the MSP
software management
platform that impacted
1500 plus victims
Sushiswap MISO
cryptocurrency platform’s
one GitHub repository was
exploited in the software
supply chain attack to steal
$3M
Mimecast-issued
certificates were exploited
to take over Microsoft
Exchange Server
connection that impacted
thoughts of customers
Codecov’s bash
uploader script was
exploited by attackers it
impacted hundreds of
customers including
vendors such as Twilio,
Freshworks and
HashiCorp
Apple’s Xcode free
application for iOS
Developers is targeted
by XCodeSpy for
installing backdoors
ClickStudios
PasswordState a
password manager
was exploited to steal
passwords of 30,000
customers
SYNNEX a technology
distributor was attacked by
APT29 (Cozy Bear) which
resulted in the compromise
of its clients such as the
Republican National Party
Malware in the 500 npm and
130 PyPi packages affected
several big tech including
VMware and can be
exploited to steals AWS
Keys, Windows, and macOS
credentials
4. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 4
✓98% have Open-Source
Software (OSS) in their code base
✓85% contained open source that
is more than 4 years old
✓88% had components with no
new developments in 2 years
✓94% of OSS projects have
fewer than 10 developers
accounting for 90% of lines of code
✓88% plan to increase container
use and 31% plan to increase it
significantly
Why
✓650% increase in Year-on-Year
attacks on the OSS
✓61% rank supply chain security
as their top container security
initiative for 2022
✓45% of containers are open
source
✓33% are directly impacted by
Executive Order 14028
✓AllIoT/OT vendors are impacted
by H.R.1668, California SB-327,
Oregon HB 2395 (2019), and
European Cyber Security Act
Why Now
✓88% plan to use Software Bill of
Material (SBOM) in 2023
✓72% of organizations have more
than one CI/ CD system and a
median of 6 different tools in their
DevOps toolchain
✓ Median 5 different container
platforms are used by the
organization
How
5. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 5
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
6. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 6
Methods Challenges
7. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 7
8. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 8
Source: https://slsa.dev/
9. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 9
P P P
P P
P
P
Source: https://slsa.dev/spec/v0.1/requirements
10. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 10
P P P P
P P P
P P
P P
P P
P
P
Source: https://slsa.dev/spec/v0.1/requirements
11. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 11
P P P P
P P P
P P P
P P
P
Source: https://slsa.dev/spec/v0.1/requirements
12. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 12
P
P
P
Source: https://slsa.dev/spec/v0.1/requirements
13. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 13
▪
▪
▪
▪
▪
▪
14. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 14
▪
▪
15. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 15
• - The above table includes only a small representative listing of open source and commercial tools
16. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 16
17. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 17
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
✓
✓
✓
✓
✓
18. © 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 18
Solutions / Services
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
20. “Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the independent network of GTIL member firms provide services to
their clients, as the context requires. GTIL and each of its member firms are not a worldwide partnership and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details.
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd
jitendra.joshi@us.gt.com
21. “Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the independent network of GTIL member firms provide services to
their clients, as the context requires. GTIL and each of its member firms are not a worldwide partnership and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details.
© 2022 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd