Defending Against Software Supply Chain Attacks - Cyfinoid Research - DCTAC2025
Name of Training: Defending Against Software Supply Chain Attacks
Trainer(s): Anant Shrivastava
Dates: November 3-4, 2025
Time: 8:00 am to 5:00 pm
Venue: TBD
Cost: $2,200
Course Description:
Software development is a collaborative effort. We do not build software alone; most of the time we depend on many moving parts. These moving parts form the software supply chain. Attackers succeed by linking small weaknesses across the entire chain. People and their workstations, source repositories, dependency ecosystems, remote and central package registries, third party SaaS, build and release workflows, containers, cloud infrastructure and runtime environments are all in scope.
This two day hands on class focuses on defenders. We start by bringing everyone to the same base level of knowledge and shared terminology, then walk through a set of handpicked case studies. Each case study is a faithful replication of a real world attack.
Our aims:
- Understand how the attack flow worked
- Identify which controls could have detected the attack
- Identify preventive controls
- Plan how to handle after effects
Case studies are selected for unique attack flows with minimal overlap. Throughout, we introduce tools and techniques with emphasis on open source software or those deployable locally. We cover tooling for SBoM generation, verification and comparison, plus provenance verification and attestation.
As we work through the case studies we build our own framework for handling supply chain issues. In the second half of Day 2 we compare and contrast it with industry frameworks like SLSA and NIST SSDF to see what is missing or added.
We close with management aspects such as build vs buy. Attendees leave with an action plan they can start applying the next day.
Course Outline:
Module 0 : Foundations
- Definition of software supply chain beyond the pipeline
- Third party dependencies
- Remote and central package registries
- DevSecOps
- xBOM family (SBoM, CBoM and more)
- Provenance and attestation basics
- Supply chain detection and response
- Deployment basics via cloud or containers
- Tools of Trade
Module 1 : Developer Workstation compromise
- Why Developer Workstation
- Interesting things for an attacker
- Attack flow
- Detection and Prevention Controls
- How to respond after attack
Module 2 : SolarWinds style Build compromise
- How does build pipeline work
- Interesting things for an attacker
- Attack flow
- Detection and Prevention Controls
- How to respond after attack
Module 3: Log4Shell style Vulnerable dependency
- 3rd party code dependencies
- Transitive dependencies
- Interesting things for an attacker
- Attack flow
- Detection and Prevention Controls
- How to respond after attack
Module 4: xz Utils backdoor Attack
- Trust and validation of 3rd party packages
- Reproducible builds and behavioural anomaly
- Interesting things for an attacker
- Attack flow
- Detection and Prevention Controls
- How to respond after attack
Module 5 : CI System compromise via 3rd party action
- Inner workings of Git version control systems
- CI as initial foothold system
- Interesting things for an attacker
- Attack flow
- Detection and Prevention Controls
- How to respond after attack
Module 6 : package manager (npm/pypi) malware
- Identification of supply chain component maturity
- Interesting things for an attacker
- Attack flow
- Detection and Prevention Controls
- How to respond after attack
Module 7 : Two step supply chain Compromise (3CX)
- Identification of compromise at end user level
- Interesting things for an attacker
- Attack flow
- Detection and Prevention Controls
- How to respond after attack
Module 8 : Framework Derivation
- Collate all the detection and prevention controls
- Identify unique set of activities
- Identify, Protect, Detect, Respond
Module 9 : Comparison to industry standards
- Mapping to OSC&R Framework
- Mapping to NIST SSDF
- Comparison to SLSA and CSF v2
Module 10 : Organisational Dynamics
- Build vs Buy
- Open source vs commercial License
- How to implement the framework technically
Difficulty Level:
Beginner
Suggested Prerequisites:
Basic knowledge of software development and IT security concepts is assumed. Familiarity with cloud platforms and CICD processes would be beneficial but not mandatory.
What Students Should Bring:
- Laptop or Tablet computing devices with browsers that can connect to the internet with Wifi
- Please ensure that you use devices that are not bound with an extremely strict Web Proxy/DLP
- Github Account. Not a work-related account
- Gitlab Account. Not a work-related Account
Trainer(s) Bio:
Anant Shrivastava is a highly experienced information security professional with over 15 years of corporate experience. He is a frequent speaker and trainer at international conferences, and is the founder of Cyfinoid Research, a cyber security research firm. He leads open source projects such as Tamer Platform and CodeVigilant, and is actively involved in information security communities such as null, OWASP and various BSides Chapters and DefCon groups.
Registration Terms and Conditions:
Trainings are refundable before October 2, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after October 2, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.