A good attacker will target the most vulnerable part of a software system. In the past, this has been application flaws, hardware bugs, or misconfigurations.

As the industry has evolved to detect and prevent these errors, attackers have moved to newer targets: your dependencies. Instead of attempting to execute a complex attack directly against a target, attackers are injecting malicious code into popular downstream transitive dependencies. Without proper controls, victims quickly inherit this malicious code into their software systems which can lead to a total system compromise.

This talk dives into the problem of software supply chain security and presents some ideas for addressing the problem.

Speaker

Seth Vargo is an engineer at Google Cloud. Previously he worked at HashiCorp, Chef Software, CustomInk, and some Pittsburgh-based startups. He is the author of Learning Chef and is passionate