Open Source Libraries Can Kill Your Supply Chain Security
Вставка
- Опубліковано 15 вер 2024
- Sign up NOW: www.blackhat.c...
Did you know you could get compromised if you forgot to include the version number when importing third-party libraries? This is an attack called Dependency Confusion, and here's a tiny slice of what you'll be learning in my course at Black Hat Asia on April 16-17, 2024.
This is a 2-day, purely attack-based course designed to help you understand every step of your software supply chain and how to secure it.
What you'll learn:
- Client-side Supply Chain attacks
- Server-side dependency attacks
- Trojanizing Containers
- Attacks against CI Services
- Attacking Kubernetes clusters through malicious Operators
...and so much more. There's less than 2 weeks left, don't miss out!
Grab your seat today: www.blackhat.c...
How does using the latest version of your dependencies lead to INsecurities, assuming that hackers didn't compromise the supply chain?
It’s usually best to use the latest version of a software/library that’s been tested and is known to be secure. Assuming there’s an even more recent patch, it may be that that version has insecurities not yet discovered.
As for what an attacker can do, they can release a software to the public registry with the same name but a higher version number, and that tricks the pkg manager to install that version.