Abstract:
Modern software relies extensively on pre-existing code. From libraries
to build scripts, developing software is accelerated at a rapid pace
from the wide availability and functionality of open source code. This
abundance of building code blocks comes with additional security risks.
Aside from exploiting vulnerabilities found directly in the software,
perpetrators aim to compromise any indirect parts of the targeted
software, from build and deployment pipelines to third-party dependencies.
In this talk we focus on the security threats that rise from the
software supply chain. We will cover two specific aspects of software
supply chain attacks extensively: code dependencies and build pipelines.
In our first work, we present Mininode, a tool we created to reduce the
attack surface of Node.js applications by removing unused modules and
functions. Mininode uses static analysis to detect which parts of the
code are actually used and constructs a detailed dependency graph that
enables the reduction of unused code. In our second work, we study the
security of GitHub's continuous integration platform. We identify the
fundamental security properties that must hold for any CI/CD system and
examine if the popular CI/CD platforms enforce these properties. Our
work highlights potential attack vectors that can be used to compromise
the execution of workflows, consequently leading to supply chain attacks.
Bio:https://kapravelos.com/
Photo:https://kapravelos.com/
