Software Supply Chain Threat Detection presented at BSidesAtlanta 2020

by Diaspina Doyle,


Summary : Scenario: Recently XYZ Bank received complaints from customers who closed their online account and had not received the requested check for their remaining balance. XYZ Bank found a SQL backdoor which altered the mailing address of closed accounts to a suspicious offshore address. The escalation that followed raised these concerns amongst XYZ InfoSec, XYZ IT, and the software consultants that developed their online banking application: • How many customers were impacted? • The SOC team had confirmed that external network traffic did not install this backdoor. Where then did it come from? • How many people had access to the source code repositories? • What other code might have been backdoored? It is a common trend for global organizations to utilize an onsite-offshore delivery model, wherein software development teams are outsourced to various parts of the world including countries known for active cyber offenses or working conditions that leave knowledge workers bitter and disgruntled. To check for security issues, these organizations perform static analysis, code review, dynamic analysis, and penetration testing, to name a few. These techniques discover coding defects such as buffer overflow and cross-site scripting but cannot typically find malicious code such as backdoors and logic bombs. In a production enterprise environment, the security operations team monitors for external threats, primarily network attacks, malware, and ransomware. Their tooling is informed by threat intelligence feeds designed to detect patterns of global external attackers, not threats coming from inside the enterprise. This presentation provides insight into: 1. What is Software Supply Chain Threat Detection? 2. How is it different from other defect discovery methods? 3. Motive behind such threats in the software world 4. How is threat detection performed? 5. Points of interest to look for 6. Real world scenarios- backdoors, suspicious constructs 7. Outcome of Software Supply Chain Threat detection - passive and active monitoring