June 2023
Intermediate to advanced
336 pages
10h 12m
English
Content preview from Software Transparency
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
CHAPTER 1Background on Software Supply Chain Threats
This chapter outlines core topics such as the incentives for attackers, anatomy of a software supply chain attack, and relevant landmark cases. Let's begin by discussing the incentives for attackers to perform a supply chain attack.
Incentives for the Attacker
Supply chain attacks circumvent traditional perimeter defenses in ways that make them very attractive for the attacker. Organizations have invested heavily in firewalls, intrusion prevention, and access controls. These protections are defensive measures against a “push” style of attack that directly targets an organization's infrastructure. Supply chain attacks foster a scenario that is more of a “pull,” where legitimate users of information technology (IT) request software updates that are malicious, causing the user to knowingly compromise their organization. Because the request originated from a trusted user and came from inside the corporate perimeter or was sent to a trusted entity already cleared by a third-party risk management process, these updates were trusted. Organizations simply compromise themselves.
When you are exploring the controls necessary to defend against attacks, it is not sufficient to consider a single layer as an effective defensive measure. In much the same way that network infrastructure administrators have realized they need to monitor outbound traffic or implement host-based controls, this move toward defense in depth, and especially ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.