New Video from No Limit Secu Discusses Supply Chain Security
In this new video from No Limit Secu, the weekly French-language podcast dedicated to cybersecurity, experts Maxime Rinodo and Thomas Chachouin discuss the security of supply chains. They are joined by several contributors, including Nicolas Ruf, Paul Amar, Étienne Ladent, and Hervé Chaur. The discussion focuses on attacks targeting supply chains, particularly those aimed at software suppliers. Maxime Rinodo explains that an attack on a supply chain is distinguished by the fact that the target and the victim are different entities. The attacker compromises a software supplier of the target, so that when the target pulls software dependencies, it becomes vulnerable. A striking example is the attack on the XZ library, where a developer infiltrated malicious code allowing the bypass of the SSH authentication system. This attack required three years of work, highlighting the cost and complexity of such operations. The experts then discuss vulnerabilities in Linux distributions, particularly Fedora and OpenSUSE. They have identified flaws in the tools for managing sources and compiling packages, notably Pagure for Fedora and Open Build Service for OpenSUSE. These tools, often developed by a handful of developers, present argument injection vulnerabilities, allowing the execution of arbitrary commands. Attackers can thus modify packages on the fly, injecting malicious code before cryptographic signing, ensuring the appearance of legitimacy of the compromised packages. Thomas Chachouin and Maxime Rinodo emphasize the importance of the security of open-source infrastructures, often neglected. They suggest that companies invest more in securing these infrastructures, by conducting security audits and supporting open-source projects. They also mention the importance of SBOMs (Software Bill of Materials) for tracing the origin of software dependencies, although this remains complex to implement. The discussion concludes on a note of vigilance, reminding that the security of supply chains is a daily task requiring regular penetration tests. The experts encourage companies to be proactive in securing their infrastructures and to collaborate with the open-source community to strengthen overall security. To learn more, watch the full video at: https://www.youtube.com/watch?v=P8e-Vzq1l3o