C4DT Conference on Software Supply Chain Security
The past two years saw a new vulnerability make headlines: software supply chains. Events such as the SolarWinds and Kaseya cyberattacks or the discovery of the Log4j vulnerability forced organizations to reevaluate their cyber risk exposure.
This one-day conference provides a platform for academia, government, business, NGOs and standard-setting bodies to shed light on software supply chain risks, to outline persisting challenges, and to discuss mitigation tactics, solutions, and best practices as well as emerging frameworks and standardization initiatives.
This event is organized by the Center for Digital Trust (C4DT).
Part 1: Understanding the risks landscape
We face a complex web of interdependence for both hardware and software. A supply chain of software code is behind any application or service delivered. And that software supply chain is only as strong as its weakest link – with attackers taking advantage of any weaknesses. Where do the key software supply chain vulnerabilities lie? How might we understand the threat actors’ mindset?
Introductory talk: Setting the scene on software supply chain risks
by Prof. Mathias Payer, Head of the HexHive Lab, EPFL
Talk: Inside the hacker’s mind – How do criminals operate? 2010 versus 2023
by Ege Balci, Threat Intelligence Team Lead, Prodaft
This presentation will explore the evolution of cybercrime business models, including the emergence of Malware-as-a-service (MaaS) and Ransomware-as-a-service (RaaS) platforms, as well as credential markets and the latest trends in tailored corporate access and credential stuffing attacks.
It will also cover cutting-edge developments in the cybercrime space, such as the use of anonymity browsers and 2FA bypass methods. These techniques enable cybercriminals to evade detection and bypass two-factor authentication measures, which have traditionally been a strong defense against cyberattacks. Another key trend in the cybercrime space is the increasing targeting of corporations, with cybercriminals selling tailored access to corporate networks and launching credential-stuffing attacks. These attacks are highly effective, as they rely on the use of stolen login credentials, which are often weak or reused across multiple accounts.
Overall, the presentation will provide valuable insights into the evolving business models of cybercriminals and the latest techniques being used to launch cyberattacks. Attendees will gain a deeper understanding of the cybercrime landscape and the steps they can take to protect themselves and their organizations against cyber threats.
Talk: Inside the hacker’s mind – Learning from the case study on the TA551 group
by Berk Albayrak, Threat Intelligence Analyst, Prodaft
The year 2023 is predicted to be the most profitable year for cybercriminals through large-scale attacks. Especially a growing number of supply chain attacks became appealing for threat actors in this field, as they realised the scope of the attacks done through supply chain attacks and small points of access.
Some cases, such as Kaseya, SolarWinds, and Colonial Pipeline, and vulnerabilities (e.g. Log4j) also attracted the attention of threat actors – by showing them the ways to succeed in this type of attack chain. Threat actors saw those attacks as an opportunity to further use them in 2023. For example, one of the threat groups that discovered this window of opportunity was TA551 and their collaborators.
During this talk, the attendees can expect the following questions to be answered: How do the TA551 and their partners operate supply chain attacks? Which tools, techniques, and procedures do they use? Which countries and what type of institutions are being targeted?
Part 2: Exploring the challenges
What are the main barriers to mitigating software supply chain vulnerabilities? From software developers across suppliers to customers: What are the key challenges they are facing and how are they addressing them? A focus on open source software security will provide additional insights and help to explore different perspectives.
Panel: Insights from three stakeholder groups – software developers, suppliers and customers
What are the key challenges different stakeholders are facing in advancing software supply chain security and how are they addressing them?
Moderated by Daniel Saraga, Founder, Saraga Communications
Alban Hessler, Senior Manager Advisory and Professional Services, ELCA Security
Siddhartha Rao, Vice President, Product Security, SAP
Mauro Vignati, Adviser Digital Technologies of Warfare, International Committee of the Red Cross (ICRC)
Talk: Open Source Software Supply Chain Security
by David A. Wheeler, Director of Open Source Supply Chain Security, Linux Foundation
On average 80%-90% of the components of today’s software are open source software (OSS). This presentation will discuss OSS supply chain security, including the most common attacks and countermeasures against them. It will especially focus on the work being done by the Linux Foundation Open Source Security Foundation (OpenSSF) to improve OSS supply chain security, including Supply chain Levels for Software Artifacts (SLSA), concise guides, education, scorecards, best practices badge, sigstore (for digital signing and verification), and giving multi-factor authentication (MFA) tokens to some widely-used OSS projects.
Talk: Open source software security and threat detection – an entry point for assault or remedy?
by Alexandre Dulaunoy, Core Team Member, MISP, and Security Researcher, Computer Incident Response Center Luxembourg (CIRCL)
Part 3: Implementing solutions and best practices
Talk: Building better foundations for secure software systems
by Prof. Shweta Shinde, Head of the Secure & Trustworthy Systems Group, ETH Zürich
Software systems are ever-growing in size and complexity while being rife with vulnerabilities. Patches and defenses are continuously deployed, but the software attack surface is extremely large and attackers invariably find ways to gain a persistent foothold. An effective way to end the arms race between vulnerabilities and defense tools is by isolating the software using trusted hardware. With such isolation, what is the least amount of code that needs to be bug-free to securely run user applications? At the moment, even after using trusted hardware, this number can be upwards of a few million lines of code. Can we do any better?
In this talk, I will present a foundational approach to safeguard applications against large and potentially buggy software using trusted hardware.
Panel: Advancing the practical implementation of SBOMs and international standards
Moderated by Prof. Mathias Payer, Head of the HexHive Lab, EPFL
Hakim Mkinsi, Technical Programme Manager, ISO
Christoph Plutte, Master Security Specialist, Ericsson Product Security Incident Response Team, Ericsson
Vladimir Radunovic, Director, E-diplomacy and Cybersecurity Programmes, DiploFoundation
Part 4: The Future of software supply chain security
Keynote: Cybersecurity – a Swiss perspective
by Florian Schütz, Federal Cyber Security Delegate, Swiss Federal Administration
Panel: Exploring the future of software supply chain security
From public-private collaboration across geopolitics to new approaches to data and information supply chain security or an evolving view of open source libraries as critical infrastructure, what factors will impact the future of software supply chain security?
Moderated by Daniel Saraga, Founder, Saraga Communications
Tony De Bos, VP of Global Advisory, Kudelski Security
Francesca Bosco, Senior Advisor, CyberPeace Institute
Prof. Mathias Payer, Head of the HexHive Lab, EPFL
Florian Schütz, Federal Cyber Security Delegate, Swiss Federal Administration