Workshop – Software Supply Chain Security: From Offense to Defense

Supply chain attacks or attacks on open-source software are spreading like no other disease. It includes examples like Dependency confusion, log4j, NPM attacks, Gem attacks on ruby, and A LOT of examples.

This talk would be focusing on the What, Why, and How of this. Talking about the impact of the supply chain attacks as the weakest link in the chain and how to prevent them.

It would include Extensive internet scanning of NPM packages to find ones prone to account takeover [+ impact identification and defense]

This training is focused on the dangers of NPM package hacking and account takeover. As many of you know, NPM packages are crucial dependencies for the widely-used Javascript programming language. Unfortunately, in recent times there have been numerous instances of NPM package hacking, including confusion attacks and account takeovers, puting developers at risk without their knowledge.

In this training, we will focus on a specific aspect of Supply-Chain Attacks: the vulnerability of NPM packages to account takeover when the email address of the package maintainer expires. This may sound less impactful, but the reality is far from it. Just one package could be used by hundreds of thousands of applications, and the impact of such an attack would be devastating. We will demonstrate how an innocent NPM package can become a disaster, and how an NPM account takeover can evade detection even by security tools such as Dependabot, SAST, and DAST.

We have conducted extensive research on this issue, scanning the internet for widely-used NPM packages and collecting over 2.1 million packages with millions of downloads. We extracted the email addresses of these packages and scanned the domains to identify expired ones.

We then gathered download numbers of the vulnerable packages to demonstrate the impact of this vulnerability globally.

Topics Covered

 This training program is designed to provide participants with a comprehensive understanding of supply chain security from both an offensive and defensive perspective. The program covers the latest tactics and techniques used by attackers to compromise supply chains, as well as the most effective countermeasures to prevent and respond to these attacks. Participants will gain practical skills and knowledge to help them secure their own supply chains and mitigate risks

Introduction to Supply Chain attacks & Software Supply Chain Security
– Understanding the importance of supply chain security
– Overview of supply chain attack types and techniques
– Common vulnerabilities in supply chains

[Case-Study] How to break down an attack pattern that’s new in the attack surface and use your mind and automation sauce to automate the prevention when the prevention is not out there ?
– Javascript – NPM packages account takeover tale.
– Offensive / Attacker’s perspective simulation.
– Defensive simulation and practices.
– How to detect NPM account takeover vulnerability in your code base?
– How to automate?
– Research – thought pattern and critical thinking class. Where the research on 2.1 Million NPM packages would be discussed and problem solving would be practiced.

Dependency confusion
– Brief introduction.
– Simulation from attacker’s perspective.
– Prevention methodologies from the defensive perspective.
– Our research on it on how well-spread it is.
– Customized scripts to detect.

Log4j, Typosquatting, Repojacking, Account takeover of dependencies.
– Offensive approach simulation
– Proactive approach of prevention discussion.

Depreciated libraries or dependencies
– How to automate the detection and keep your code secure?
– Methodologies for your SDLC.
– Why dependabot is not enough – GemScanner for your Ruby stack.

Real-World Examples of Supply chain attacks.
– Analysis of recent supply chain attacks
– Examination of successful and failed supply chain security measures
– Lessons learned and practical takeaways

Enhancing the supply chain security in your organizational SDLC.
– How to prevent supply chain attacks?
– Software Bill Of Materials: Setting up, good practices etc.
– Custom sauce of scripts.
– Dependabot and a lot more.

Key Takeaways:

• This training program provides a comprehensive understanding of supply chain security from both an offensive and defensive perspective.
• Participants will learn the latest tactics and techniques used by attackers to compromise supply chains, as well as the most effective countermeasures to prevent and respond to these attacks.
• The program includes case studies and simulations, enabling participants to practice their critical thinking skills and gain practical experience in securing their own supplychains.
• Real-world examples of supply chain attacks are analyzed, and lessons learned are shared, providing practical takeaways for participants to implement in their own organizations.
• The course is suitable for software developers, security engineers, architects,researchers, bug bounty hunters, system administrators, students, and curious security professionals who want to expand their skills in application security with automation During this training, we will share our research methodology and tools, as well as an open- source script to automate the identification of this vulnerability within NPM packages used within your organization for defensive purposes. We urge you to take this threat seriously and take action to protect your applications from NPM package hacking and account takeover
• It would include the history of NPM dependencies attacks and how it could become the weakest link in the chain.
• Demonstration of a few recent vulnerabilities and exploitations. – Demonstration of NPM account takeover methodology.
• Demonstration of our research on 2.1 Million packages and finding the vulnerable ones out of those widely available and used packages.
• Identification of download numbers and usage of the vulnerable package to make a point.
• It would end by giving a demonstration on how to protect against the issues or vulnerabilities that could arise due to NPM packages.
• In the end, a new tool/script would be introduced to automate the process of catching shady or vulnerable packages.

What new research, concept, technique, or approach is included in your submission?

Scanning 2.1 Million NPM packages to find the account takeoverable vulnerable packages and then identifying the download numbers for the vulnerable ones to make a point of impact of this vulnerability.

Before we conducted this research there was no publicly known defensive strategy so The Register featured our solution as well – https://www.theregister.com/2022/05/23/npm_dependencies_vulnerable/ (But not the research)
– Attendees would be able to think about the importance of open-source security.
– Attendees would be able to identify vulnerable NPM dependencies.
– They would be able to protect their organizations from such dependencies. and would automate it within seconds.

The problem is not being solved by the outdated dependency detectors or SAST or DAST tools. To detect the vulnerable NPM dependencies which could be prune to account takeover and moreover this talk would be an all in all package for packages or dependency security.

We would be presenting our own scripted tools and usage possibilities in this talk as well to prevent widespread.

*NOTE: No names of NPM packages would be displayed in public for security reasons, and nothing illegal or unethical would be done or promoted – this talk is focused on how to defend your own codebase specifically.