Sign up to save your podcasts
Or
Share Episode 364 - Software supply chain risks
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 364 - Software supply chain risks
Jane Lo, Singapore Correspondent speaks with Yakir Kadkoda, Security Researcher and Ilay Goldman, Security Researcher with Aqua Security
Yakir Kadkoda combines his expertise in vulnerability research with a focus on discovering and analyzing new security threats and attack vectors in cloud native environments, supply chain security, and CI/CD processes. Prior to joining Aqua, Yakir worked as a red teamer.
Ilay Goldman specializes in discovering and analyzing novel security threats and attack vectors in cloud native environments, supply chain security, and CI/CD processes. Additionally, Ilay conducts research on open-source security and vulnerabilities. Prior to joining Aqua, he worked as a red teamer.
In this interview at Black Hat Asia, Yakir and Ilay explain the complexity of a modern software supply chain, and the dependency of a typical software development cycle on open-source code, and the wide array of tools and platforms.
They note that in this supply chain ecosystem, there are many vulnerable tools and platforms trusted by majority of developers.
To highlight some examples of these vulnerabilities, Yakir and Ilay divide the development flow of many organizations into different phases – Integrated Development Environments (IDEs), Source Code Managers (SCMs), Continuous Integration/ Development (CI/CD), Package management and more.
They point out, for instance, the potential of malicious IDE extensions that may be inadvertently trusted by developers, or how threat attackers could compromise accesses to package manager platforms to impersonate malicious packages.
They also share how they found tens of thousands of tokens of open source projects that have been leaked by CI/CD platforms, which could be exploited for lateral movement.
Wrapping up, they advise that software developers practice security-by-design – that whilst “security takes time”, fixing the problem later may incur even more costs and time.
Recorded 11th May 2023, 11am, Black Hat Asia 2023, Singapore Marina Bay Sands
#BHasia #mysecuritytv #supplychain #cybersecurity
View all episodes
By MySecurity Media
3.9
1919 ratings
Jane Lo, Singapore Correspondent speaks with Yakir Kadkoda, Security Researcher and Ilay Goldman, Security Researcher with Aqua Security
Yakir Kadkoda combines his expertise in vulnerability research with a focus on discovering and analyzing new security threats and attack vectors in cloud native environments, supply chain security, and CI/CD processes. Prior to joining Aqua, Yakir worked as a red teamer.
Ilay Goldman specializes in discovering and analyzing novel security threats and attack vectors in cloud native environments, supply chain security, and CI/CD processes. Additionally, Ilay conducts research on open-source security and vulnerabilities. Prior to joining Aqua, he worked as a red teamer.
In this interview at Black Hat Asia, Yakir and Ilay explain the complexity of a modern software supply chain, and the dependency of a typical software development cycle on open-source code, and the wide array of tools and platforms.
They note that in this supply chain ecosystem, there are many vulnerable tools and platforms trusted by majority of developers.
To highlight some examples of these vulnerabilities, Yakir and Ilay divide the development flow of many organizations into different phases – Integrated Development Environments (IDEs), Source Code Managers (SCMs), Continuous Integration/ Development (CI/CD), Package management and more.
They point out, for instance, the potential of malicious IDE extensions that may be inadvertently trusted by developers, or how threat attackers could compromise accesses to package manager platforms to impersonate malicious packages.
They also share how they found tens of thousands of tokens of open source projects that have been leaked by CI/CD platforms, which could be exploited for lateral movement.
Wrapping up, they advise that software developers practice security-by-design – that whilst “security takes time”, fixing the problem later may incur even more costs and time.
Recorded 11th May 2023, 11am, Black Hat Asia 2023, Singapore Marina Bay Sands
#BHasia #mysecuritytv #supplychain #cybersecurity
More shows like Cyber Security Weekly Podcast
View all
Security Now (Audio)
1,983 Listeners
Risky Business
365 Listeners
Future Tense
73 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
366 Listeners
Politics Now
104 Listeners
Smashing Security
312 Listeners
Click Here
415 Listeners
Darknet Diaries
7,909 Listeners
Cybersecurity Today
166 Listeners
If You're Listening
314 Listeners
CISO Series Podcast
189 Listeners
Hacking Humans
314 Listeners
A Bit of Optimism
2,190 Listeners
Cyber Security Headlines
127 Listeners
The TED AI Show
46 Listeners