OWASP 2024 Global AppSec San Francisco

The frequency of Software Supply Chain attacks has been increasing over the last several years. This is, in part, due to the fact that the term “Software Supply Chain Attack” actually refers to a set of attacks that include: Repo Jacking, Repo Poisoning, Typo Squatting, and Dependency Confusion. Threat actors, such as Nation states, select high value targets that can be extremely disruptive. They weaponize the software supply chain against their enemies (real or perceived) to wreak physical infrastructure damage or engage in commercial and governmental espionage. Attackers who are motivated by money have been able to demand huge ransoms, which would have been impractical in the past but have been made easy by cryptocurrencies. Frequently, they seek soft targets. Hospitals, municipalities and schools can be notoriously lax in their software security efforts. Often, they lack the capital and expertise to enable a successful defense against ransomware gangs. 


Governments and the private sector are investing in defensive measures. Europe has responded with the Cyber Resilience Act. The US has mandated SBOMs as a countermeasure against supply chain attacks. If you know what is in your code then such an attack is unlikely. Right? Not exactly. In the commercial sector, a huge software security industry has arisen. In 2023 it was estimated to be valued at approximately 172 billion USD and it is a growing market. Yet this has not resulted in a diminishing threat.


In this presentation, I am going to describe practical strategies for improving your organization’s ability to defend against software supply chain attacks.