This talk was given at ViennaJS October 2021 by Thomas Konrad.
Have you ever started a “Hello World” test project with a modern JavaScript framework and then counted the lines of code in your node_modules directory? There are literally millions of lines of code, written by people who know how to write high-quality software, and by people who don’t. How can we know that everything in there is legitimate? How can we know there is no malicious intent by anyone? How can we know there is no known vulnerability in my dependencies? How can we even know that’s the right library?
While the questions above are not new, they gained new traction through two recent large-scale supply chain attacks: The SolarWinds attack and the Dependency Confusion attack carried out by a security researcher, the latter resulting in more than $ 100,000 in bug bounties. The Dependency Confusion attack leveraged a flaw in package management systems, especially the Node Package Manager (NPM).
In this talk, we’ll draw a bigger picture of the security problems that come with a large number of dependencies, and we’ll talk about solution approaches. Here’s the talk outline:
• Supply chains in the “real world” vs. in software
• Popular software supply chain incidents with technical details
• Supply chain insecurity in software
• Countermeasures by the “software society”
• Countermeasures during development
• Countermeasures during build
• Countermeasures during operations
• Advanced countermeasures like verifiable builds and farm-to-table guarantees
• Further reading resources