Securing the Software Supply Chain

Advanced, software supply chain attacks have a vast and rippling impact. By injecting malicious code into an otherwise legitimate software update, bad actors infected over 18,000 conscientious SolarWinds customers.

The malware inserted in SolarWinds’ Orion application is just one vector of what looks to have been a well-planned, multi-pronged campaign targeting specific organizations.

Such a high impact breach exposes the increasing attack surface and vulnerability of software development and delivery. With the advent of CI/CD pipelines, supply chain attacks have become more prevalent – with attackers compromising certificates to sign code and bypass controls.

  • As early as 2016, the BitTorrent client Transmission’s source code was backdoored on GitHub. And in 2017 the popular cleanup application Ccleaner was backdoored via a compromised code signing certificate.
  • A Docker Hub breach allowed the theft of 190,000 usernames and hashed passwords and exposed Bitbucket and Github access tokens.
  • A Kubernetes security flaw allowed attackers to use an infected container to replace files on users’ workstations.

Your e-mail address is used to communicate with you about your registration, related products and services, and offers from select vendors. Refer to our Privacy Policy for additional information.