Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Explore key insights from CodeSecDays 2024 on software supply chain security. Learn about AI in DevSecOps, SLSA frameworks, developer-security collaboration, and secrets management. Discover strategies for a more secure digital future.

Knowing Your Supply Chain (KYSC) is becoming an increasingly important component of cyber resilience. Understanding the dependencies within your organization and those of your vendors is critical for responding to incidents effectively. Even the most reliable vendors and partners can experience issues. Today, a widespread outage impacted CrowdStrike Falcon, affecting the global supply chain.

This story starts when Sébastien Lorber, maintainer of Docusaurus, the React-based open-source documentation project, notices a Pull Request change to the package manifest. Here’s the change proposed to the popular cliui npm package: Specifically, drawing our attention to the npm dependencies change that use an unfamiliar syntax: Most developers would expect to see a semver version range in the value of a package or perhaps a Git or file-based URL.

Over 100,000 websites fell victim to a recent web supply chain attack through the Polyfill JavaScript library. This incident underscores significant vulnerabilities in third-party script integration across the web. This article covers what Polyfill does, why it’s now a threat, and the steps you should take if your website relies on it.

The defense supply chain is a complex network of partners that sell, manufacture, and distribute services or products to defense agencies worldwide. It is made up of both major corporations and smaller sub-suppliers. Each country has its own network of supply chain partners, including manufacturers, software, services and logistics providers that deliver products and services for military materiel applications.

Polyfill.io helps web developers achieve cross-browser compatibility by automatically managing necessary polyfills. By adding a script tag to their HTML, developers can ensure that features like JavaScript functions, HTML5 elements, and various APIs work across different browsers. Originally developed by Andrew Betts, Polyfill.io injects JavaScript polyfill libraries based on the user agent or other characteristics, streamlining code maintenance.

Over 100,000 websites using a popular JavaScript service (polyfill.io) are now victims of a web supply chain attack. A web supply chain attack is a cyberattack is a type of software supply chain attack that targets a third-party web software component to gain access to an organization’s systems or data. These attacks can be difficult to prevent because they can be hard to detect, take advantage of trust, and have long-lasting effects.