As part of our ongoing series of web seminars, CEO Jeffery Payne hosted application security pioneer Jeff Williams, the co-founder of OWASP and the current CTO of Contrast Security, on July 15, 2021, for a discussion about software supply chain attacks.
During the conversation, they two discussed how software supply chains are similar to and different from other types of supply chains, how the target components in the most recent software supply chain attacks have evolved, and how producers and consumers can protect their software. In addition, Jeff Williams answered questions from the audience on DevSecOps transformations, building dependencies from source rather than using binaries, and more. We also heard what Jeff Williams really thinks about the recent Executive Order on cybersecurity.
Check out some of the highlights below, or view the presentation and slide deck here.
…What we saw with Equifax was an interesting shift. The attackers, instead of focusing on the custom code and the application itself, they found expression language injection vulnerability in a version that was widely used. So instead of having to attack each application individually, now they could just send one http request to any application that was using that version and completely take it over with one http request. So they were able to cover lots of applications really fast, and so you know that’s great for the attackers that’s a force multiplier. They love that because it makes it easier for them to find targets…
What we see is as operating system security got harder, as it got harder to find kernel exploits, people moved to web apps—so now they’re attacking the web apps. That was easy for a decade, and then it starts to get a little harder. And then people start moving to libraries. “Oh look, we can move to libraries and attack those.” So then, people are buckling down on library security, making sure their libraries are up to date and they’re not using out of date vulnerable versions….
And now we’re starting to see attacks on the build infrastructure. So things like in SolarWinds, the attackers attacked the CI/CD pipeline. They broke in and were able to insert a Trojan into the update that was being sent out to all their customers.
It’s attackers smartly adapting to changes in the ecosystem. It’s not that those old attacks are going away, it’s like they’re adding on to the top with new classes of attacks…
What You Need to Know About Software Supply Chain Attacks
Jeff has more than 20 years of security leadership experience as Co-Founder and Chief Technology Officer of Contrast. Previously, Jeff was Co-Founder and Chief Executive Officer of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for eight years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from the University of Virginia, an MA from George Mason, and a JD from Georgetown.
Jeffery Payne is CEO and founder of Coveros, Inc., a company that helps organizations accelerate the delivery of secure, reliable software using agile methods. Prior to Coveros, he was co-founder of application security company Cigital, where he was CEO for 16 years. Jeffery is a recognized software expert and popular keynote speaker at both business and technology conferences on a variety of software quality, security, DevOps, and agile topics. He has testified in front of Congress on issues such as digital rights management, software quality, and software research. Jeffery is also the technical editor of AgileConnection (www.agileconnection.com)