Developer in a digital crosshair, 2022 edition

Author: Mateusz Olejarka

One of the reasons we all have a job is the growing complexity of software. Times when an app could sit and run on a single server seems long gone. Now we have clouds, virtualization, containerization, microservices, put whatever buzzword you want here. And we’re losing a general picture of how it all works together. Complexity makes creating software harder and securing software harder. So interesting times ahead.

This presentation takes you through recent attacks aimed at software developers and software companies. First it starts with attacks on libraries you install or have installed (typosquatting, pushing malicious library updates due to maintainer’s credential takeover, protestware), even your private ones (dependency confusion). Second it shows attack on tools which are used in software development (package managers). Third, there are examples of attacks onto developer’s infrastructure (PHP programming language git sever, GitHub OAuth incident with Heroku and Travis-CI).

It ends with general recommendations of what to do to secure libraries, keep secure used tools and infrastructure. Awareness of the existence of such techniques and lessons learned from incidents are two most important takeaways. Enjoy!

Mateusz Olejarka
Mateusz Olejarka Principal IT Security Consultant
Head of Web Security