Dan Lorenc, CEO of Chainguard, a software supply chain security company, joins SE Radio editorĀ Robert Blumen to talk about software supply chain attacks. They start with a review of software supply chain basics; how outputs become inputs of someone else's supply chain; techniques for attacking the supply chain, including compromising the compilers, injecting code into installers, dependency confusion, and typo squatting. They also consider Ken Thompson's paper on injecting a backdoor into the C compiler. The episode then considers some well-known supply chain attacks: researcher Alex Birsan's dependency confusion attack; the log4shell attack on the Java Virtual Machine; the pervasiveness of compilers and interpreters where you don't expect them; the SolarWinds attack on a network security product; and CodeCov compromising the installer with code to insert exfiltration of environment variables into the installer. The conversation ends with some lessons learned, including how to protect your supply chain and the challenge of dependencies with modern languages.
