Episode 535: Dan Lorenc on Supply Chain Attacks episode artwork

EPISODE · Oct 25, 2022 · 49 MIN

Episode 535: Dan Lorenc on Supply Chain Attacks

from Software Engineering Radio - the podcast for professional software developers · host IEEE Computer Society

Dan Lorenc, CEO of Chainguard, a software supply chain security company, joins SE Radio editor Robert Blumen to talk about software supply chain attacks. They start with a review of software supply chain basics; how outputs become inputs of someone else's supply chain; techniques for attacking the supply chain, including compromising the compilers, injecting code into installers, dependency confusion, and typo squatting. They also consider Ken Thompson's paper on injecting a backdoor into the C compiler. The episode then considers some well-known supply chain attacks: researcher Alex Birsan's dependency confusion attack; the log4shell attack on the Java Virtual Machine; the pervasiveness of compilers and interpreters where you don't expect them; the SolarWinds attack on a network security product; and CodeCov compromising the installer with code to insert exfiltration of environment variables into the installer. The conversation ends with some lessons learned, including how to protect your supply chain and the challenge of dependencies with modern languages.

Episode metadata supplied by the publisher feed · Published Oct 25, 2022

NOW PLAYING

Episode 535: Dan Lorenc on Supply Chain Attacks

0:00 49:34

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Frequently Asked Questions

How long is this episode of Software Engineering Radio - the podcast for professional software developers?

This episode is 49 minutes long.

When was this Software Engineering Radio - the podcast for professional software developers episode published?

This episode was published on October 25, 2022.

What is this episode about?

Dan Lorenc, CEO of Chainguard, a software supply chain security company, joins SE Radio editor Robert Blumen to talk about software supply chain attacks. They start with a review of software supply chain basics; how outputs become inputs of someone...

Can I download this Software Engineering Radio - the podcast for professional software developers episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!