Enterprise software development has radically changed over the last 20 years, and the threats to those applications are radically changing as well, but our application security tools are still designed with outdated assumptions from the 1900s. We now face more risk from supply chain attacks than from “traditional” vulnerabilities. The first waves of this new generation of threats have garnered a few thinkpieces, but our AppSec toolbox has remained largely unchanged; meanwhile, adversarial foreign threats in the supply chain are evolving faster than anyone ever anticipated.

In this session, we’ll explore the trends that got us here, why supply chain attacks are suddenly thriving (both for criminal and state-sponsored purposes), and why our current tools are blind to the threats. We’ll look at XZ in particular, and how this real-world scenario differed from what the experts expected an insider (and likely state-sponsored) open source attack to look like, and what that means for defenders. We’ll show what our research found - both vulnerable projects that are juicy targets for compromise as well as suspicious maintainers who are already in control of key projects. Then we’ll learn how to adapt our defenses, how to identify the dependencies in our apps that are ripe for compromise, what clues supply chain attackers leave behind, and what we can do to protect our applications from these attacks.