This talk explores the overlooked vulnerabilities in cloud supply chains—specifically third-party integrations like CI/CD tools, APIs, and dependencies—and demonstrates how attackers exploit them to breach cloud environments. Through a live attack demo and original research, we’ll reveal practical defenses, including SBOM adoption and runtime security, to help the cloud community secure their stacks collaboratively.

Third-party integrations are the lifeblood of cloud-native development, powering everything from SaaS tools to automated CI/CD pipelines and open-source libraries. Yet, as organizations race to innovate, these dependencies have become a critical blind spot, exposing cloud environments to supply chain attacks reminiscent of SolarWinds and Codecov. This talk, rooted in a year-long research effort, unveils the hidden risks lurking in cloud supply chains and arms attendees with both offensive insights and defensive strategies to safeguard their deployments.

We begin by dissecting real-world incidents that highlight the diverse entry points attackers exploit. For instance, in the 2025 Coinbase reviewdog GitHub Action attack, adversaries poisoned the reviewdog/action-setup@v1 tag, targeting the tj-actions/changed-files workflow and introducing a malicious commit to manipulate Coinbase’s pipeline. This case, alongside others like misconfigured API tokens and unvetted IaC templates, underscores the fragility of third-party integrations.

In a live demo, we’ll simulate a sophisticated attack: injecting malicious code into an AWS pipeline via a rogue third-party dependency, escalating privileges to exfiltrate data from an S3 bucket, and pivoting across a multi-cloud environment. Attendees will see firsthand how seemingly benign integrations can unravel an entire security posture.

From there, we pivot to a community-driven defense playbook. We’ll walk through generating SBOMs with tools like Syft and Trivy to map dependency risks, deploying runtime container security with Falco to detect anomalies, and implementing a vendor risk scoring system to prioritize mitigation efforts.

https://rsa2025.cloud-village.org/