BlackHat MEA - Software Supply Chain Security - No Kill Switch Yet

Abstract

Supply chain security is complex to solve in this real world. Numerous software with notable features is available for free of cost. The scary part is they come with unforeseen hidden baggage of security vulnerabilities, supply chain security & trust issue. A few hacks in the past year; Faker.js, Color.js, log4j, etc. Since the past few months, there have been numerous cyber-attacks across the globe & SBOM is the key buzzword. SBOM refers to the Software Bill Of Materials. Lack of visibility on software components or packaging & delayed patching are the primary reasons for the supply chain attacks. Even Google released SLSA (Supply-chain Levels for Software Artifacts) framework that can be adopted in multiple stages like source, build, provenance & common uses. Numerous other tools help us to generate SBOM in different phases of SDLC. This presentation aims to bring awareness to the problems & challenges related to heavily relying on open-source solutions from a security point of view. We will discuss some methods to tackle these new kinds of security vulnerabilities. I aim to increase awareness of SBOM, why it’s mandatory, the different formats of SBOM, and how to generate, manage and monitor SBOMs for other use cases.

Rewanth Tammana

Senior Security Architect

Rewanth Tammana is a security ninja, open-source contributor, and an independent consultant. Previously, Senior Security Architect at Emirates NBD (National Bank of Dubai). He is passionate about DevSecOps, Cloud, and Container Security. He added 17,000+ lines of code to Nmap (famous as Swiss Army knife of network utilities). Holds industry certifications like CKS (Certified Kubernetes Security Specialist), CKA (Certified Kubernetes Administrator), etc. Rewanth speaks and delivers training at multiple international security conferences around the world including Black Hat, Defcon, Hack In The Box (Dubai and Amsterdam), CRESTCon UK, PHDays, Nullcon, Bsides, CISO Platform, null chapters and multiple others. He was recognized as one of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. He also published an IEEE research paper on an offensive attack in Machine Learning and Security. He was also a part of the renowned Google Summer of Code program.