Hi, everyone, and thank you for joining my talk, Are We Forever Doomed by Software Supply Chain Risks? If you joined this talk, then it means you care about software and you care about software security, which is great. Most of all, you probably are curious, like I am, how does open-source software supply chain risks impact all of us? You, me, everyone here.
So I wanted to begin this with interesting stories, such as, let's take a moment to reflect on this picture, what you're seeing on your screen right now. And what comes to your mind? Is it a futuristic outlook of the world, like the robots? Are they uprising and becoming a key part of our lives? Perhaps it's other things, like how much does the robot actually learn and upload all of that to the cloud? You know, where is it stored? Is it stored safely? What happens when someone can do something malicious with that data? Most of all, what happens if someone hacks in and interacts with my child? This is my kid, if so to say. And what happens when that interaction takes place, when someone is able to compromise that? So, yeah, that's where we are getting started, you know. These are some of the things that are keeping me up at night.
Today I would like to share with you some real-world stories of how developers play a fundamental role in recent and growing security incidents. And also, you know, why should you care about security, software security and software supply chain risks? And also, leave you off to think about who you actually trust.
So, in case you had a doubt, we're seeing more and more open source software being developed. Year after year, right, open source software repositories are growing with more and more open source software and that is more software footprint. The thing is the application that we build are ever-growing in their dependency of open source software, not just the fact that we're using open source software, but the applications themselves are using more and more of that as well. So, more of us, basically, software engineers, are now accustomed to the way of how people work in open source, like opening issues and becoming maintainers of open source. More and more of us are maintainers of open source software and that growth of open source software doesn't come without any risks, right? This is why we're all here, because we care about it.
We are continuously witnessing the growth of open source software security vulnerabilities in these ecosystems, like NPM and Java and others and this could be anything from CVE-based vulnerability reports that when you install a software you get that installation that said, you know, there are 1,000 vulnerabilities there. What happens when that takes place? Also the incidents themselves of malicious packages and different targeted attacks on developers because us as developers, we rely on open source software packages and so we are targeted as well and we'll get to that right now.
Let's rewind back, first of all, in time to get an early glimpse of how one developer perceived the risks of open source software. So in 1984, the Turing Award-winning Ken Thompson wrote a short essay titled, Reflections on Trusting Trust, in which he describes how he added a backdoor to the Unix login C program and then he continued and added a backdoor to the C compiler and then he added a backdoor further on with his chains of attacks into the compiler that compiles the C program, that compiles the compiler. Right, so in his paper here about Reflections on Trusting Trust, he actually explains how software can be taught to learn specific traits and pass them on. So, realistically, it is very, very hard to find the traces of things like Trojan horses and backdoors unless you have actually written everything from scratch. And I mean everything such as the compiler, the linker, the CPU, the display that you're watching something, the keyboard, everything. It is very hard to trust an ecosystem. So as we learned by Thompson's Trojan horse story, this is dating back to 1984, developers have been targeted as a vehicle to distribute malicious backdoors and other sorts of malware for a very long time now.
Let's explore some of these incidents. I'm sure you've probably heard of some of them. In 2018, the JavaScript ecosystem witnessed its first high impact, spearheaded, targeted attack on maintainers and developers alike where they are working in open source in the ecosystem themselves and actually have been the attack target, the vehicle as well to actually distribute malicious JavaScript code to all of us using those software. And so the attack itself targeted also developers using open source, specifically a Bitcoin wallet application. And this was the well-known Event Stream incident. Event Stream existed on the NPM registry since 2011, for a very long time now, as you could see. It's practically didn't receive any new releases in the last two years. But gained millions of downloads per week.
Comments