Compromised supply chain within a supply chain poses new risks(cloudblogs.microsoft.com)
cloudblogs.microsoft.com
Compromised supply chain within a supply chain poses new risks
https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/
18 comments
> I have not heard many companies really conceptualize their “supply chain” exposure from the myriad of scripts/dependencies injected via tag managers and other software.
I made a thing called "TrackerMap" that allowed people, mostly Fortune 500 web/risk/compliance people, to do just that: https://www.crownpeak.com/products/monitoring-solutions/tag-...
(It has since been acquired, and I have no affiliation.)
I made a thing called "TrackerMap" that allowed people, mostly Fortune 500 web/risk/compliance people, to do just that: https://www.crownpeak.com/products/monitoring-solutions/tag-...
(It has since been acquired, and I have no affiliation.)
The 'supply chain' of docker and other sandboxed 'exact versions' request-able environments scare me.
Horrid 'enterprisy' java applications showed everyone how bad things could get and those same mistakes are being replicated instead of learned from.
Horrid 'enterprisy' java applications showed everyone how bad things could get and those same mistakes are being replicated instead of learned from.
These come to mind for scanning for malicious dependencies
https://www.blackducksoftware.com/ https://www.sonatype.com/nexus-firewall
I believe there are others, just pulling from memory.
https://www.blackducksoftware.com/ https://www.sonatype.com/nexus-firewall
I believe there are others, just pulling from memory.
The article also stated that the malware being a part of an installation utility gave it basically the Windows equivalent of riot access. Why does any normal app need root access?
Supply chain attacks are one of my personal nightmares.
However, on the bright side, cryptominers are continuing to perform a public service by providing non-destructive whole-lifecycle penetration testing on a contingent-fee basis.
However, on the bright side, cryptominers are continuing to perform a public service by providing non-destructive whole-lifecycle penetration testing on a contingent-fee basis.
Which components/stack/supplychain is used by most crypto-miners?
I like bitcoin, but the GIGO makes these supply blockchains useless. The enormous costs(slow and expensive) of blockchain makes me think blockchain shouldnt be used for dApps or logistics.
Another supply chain I worry about is package management. Maven, NPM, NuGet, etc.
[deleted]
> The app vendor’s systems were unaffected.
The vendor doesn't test their software in its entirety?
The vendor doesn't test their software in its entirety?
The packages served to the vendor could be legit, but packages served to everyone else is compromised. The vendor would never know there was a problem.
One could use hash signatures to detect a problem.
The hash comes from the source of the package, and in this attack that source was compromised. The malicious code was signed.
And it’s not just tag managers (GTM/DTM, etc) - React create app command builds a boilerplate with hundreds of packages as dependency.
Has anyone employed any kind of automated scanning to try and catch known malicious code in these?
On the tag manager front, I’m afraid the very premise of letting non-technical people manage code is what makes these a built-in vulnerability. Educating those in control as to risks seems to be the only option, in addition to normal malware scanning you have to do if you run ads.