Towards safeguarding software components from supply chain attacks
Abstract
Software supply chain attacks exploit discrepancies between source code repositories and deployed artifacts, highlighting the need for rigorous integrity checks during the artifact’s build process. As systems grow in complexity, preemptive measures are essential to ensure that the source code certifiably aligns with the deployed code. Modern software development relies heavily on third-party libraries sourced from registries like Maven Central, npm, and PyPI. However, these ecosystems have become prime targets for supply-chain attacks, introducing malware into and also shadowing trusted packages. Such attacks jeopardize both developers and users, compromising the integrity of their software supply chain. This presentation discusses recent supply chain attacks and proposed solutions. Additionally, we present Macaron, our open-source project from Oracle Labs offering a flexible checker framework and policy engine to detect and mitigate supply chain security threats, safeguarding software components and maintaining their security posture over the development lifecycle.
Behnaz is a principal researcher at Oracle Labs Australia, working in the areas of program analysis and security. She received her PhD from the National University of Singapore in 2016. Her research has contributed to techniques in static and dynamic analysis of Android, Java, Node.js, and Client-side JavaScript applications, and most recently supply chain and infrastructure-as-code security. Behnaz has led the Gelato project for web application fuzzing, which was transferred to the SaaS Cloud Security team at Oracle and is now actively finding bugs in Oracle products. Currently, she leads the open-source initiative Macaron, aimed at analyzing software supply chain and infrastructure security issues. Her passion lies in designing tools to empower developers in constructing inherently secure software.