Numerous reports have highlighted the increased number of software supply chain attacks in recent years. The Verizon Business Data Breach and Investigation Report (DBIR) 2024 concluded that breaches stemming from third-party software development organizations played a role in 15% of the more than 10,000 data breaches that Verizon documented, a 68% jump from last year. Additionally, ReversingLabs' The "State of Software Supply Chain Security 2024" noted that incidents of malicious packages found on popular open-source package managers have increased by 1,300% over the past three years (2020–2023).
It is no surprise, then, that many of the talks to be presented at Black Hat USA 2024 will discuss this growing attack surface. Here are eight handpicked software supply chain security talks happening in Las Vegas next month that security leaders should not miss. They feature the ways in which AI can help or hinder software security, threats to CI/CD processes, the impact of stolen software credentials, and more.
[ Come visit the team and learn more about what we have planned: RL @ Black Hat 2024 ]
We R in a Right Pickle with All These Insecure Serialization Formats
Wednesday, August 7, 2024, 11:20 am–12:00 pm
Presented by Kasimir Schulz, principal security researcher at HiddenLayer, and the company's vice president of research, Tom Bonner, this talk will focus on Python, namely the pickle module, a sterilization format in the Python ecosystem, which has become synonymous with insecurity. However, this talk deviates from normal discourse around pickle, focusing not on the format itself, but on the main root of the problem: the use of bytecode-driven serialization formats. Attend this talk to hear why these formats cause such insecurity via a deep-dive into RDS, R’s sterilization format, including a look at a critical code execution vulnerability found within that could lead to a wide-scale software supply chain attack.
15 Ways to Break Your Copilot
Wednesday, August 7, 2024, 11:20 am–12:00 pm
Microsoft Copilot Studio is the technology that powers Microsoft's copilots (AI assistants), and the platform behind custom copilots built in the enterprise. The promise behind this technology is that every copilot build is secure, which results in the assumption that every bot will be secure by default. This talk, by Michael Bargury, will answer the question: Does this promise and inherent assumption hold up under scrutiny? Spoiler: It does not. Attend this talk to find out why and how to build copilots that mitigate such failures.
From HAL to HALT: Thwarting Skynet's Siblings in the GenAI Coding Era
Wednesday, August 7, 2024, 1:30 pm–2:10 pm
Chris Wysopal, CTO and co-founder of Veracode, will explore the impact of GenAI on software development and its implications for cybersecurity in this Black Hat session. With GenAI, developers are shifting from doing traditional code reuse to generating new code snippets by GenAI prompt, signifying a huge change in software development dynamics. This change also means new AppSec challenges. Come to this talk to learn more about what these challenges are, why they exist, and how to address them.
Self-Hosted GitHub CI/CD Runners: Continuous Integration, Continuous Destruction
Wednesday, August 7, 2024, 1:30 pm–2:10 pm
There is currently a systemic lack of awareness around self-hosted CI/CD agent security. Organizations can speed up the development lifecycle by using CI/CD systems, but they make fundamental configuration errors, especially when using self-hosted build agents. These errors expose organizations, and any dependents, to potentially high-impact supply chain attacks. Two security researchers, Adnan Khan and John Stawinski, will address this insecurity in their talk and answer the questions: How can attackers exploit your organization's CI/CD pipelines? And how can you defend against these attacks?
PyLingual: A Python Decompilation Framework for Evolving Python Versions
Wednesday, August 7, 2024, 2:30 pm–3:00 pm
Python is a popular choice for creating malware, so much so that Python temporarily stopped the registration of new users in March 2024. However, what makes it a great choice for malicious campaigns (ease of development, wide user base, prebuilt modules, and multiplatform compatibility) also makes it popular within the cyber-community. Such popularity increases the demand for Python decompilers, but efforts to maintain these types of tools are hindered by Python's unstable bytecode specification, leaving the demand unmet. This presentation from nine researchers will attempt to address this issue by integrating natural language processing (NLP) techniques with classical programming language (PL) theory to create a Python decompiler that can function on Python with minimal human maintenance effort.
Isolation or Hallucination? Hacking AI Infrastructure Providers for Fun and Weights
Wednesday, August 7, 2024, 4:20 pm–5:00 pm
Hillai Ben-Sasson and Sagi Tzadik, two security researchers from Wiz, will present the result of their attempts to answer the question: How susceptible are AI-as-a-service systems to attacks that could compromise their security and expose sensitive customer data? The result takes the form of a novel technique that gives cross-tenant access to customers' private data, including private models, weights, datasets, and even user prompts. The attack also can achieve global write privileges, allowing for the deployment of a backdoor to launch software supply chain attacks. This talk is a must in the growing age of AI.
Flipping Bits: Your Credentials Are Certainly Mine
Thursday, August 8, 2024, 11:20 am–12:00 pm
This talk introduces Certainly, a pioneering offensive/defensive tool. Security researchers STÖK and Joona Hoikkala designed it to simplify long-term passive credential harvesting and payload deployment of bitflip-typosquatting domains. Bit flipping is the process of changing a single bit from 1 to 0 or 0 to 1, which results in a valid domain that is off by one character. For example: Google could become “woogle,” if bit-flipped. The speakers will revisit and expand on previously published bit-flip research before showcasing how Certainly can be used in your next red-team engagement.
Mainstage: Let Me Tell You a Story: Technology and the 4 Vs
Thursday, August 8, 2024, 12:15 pm–12:40 pm
Join the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, for a quick 25-minute talk about technology and its future, one that’s focused on the betterment of cybersecurity, both within and outside critical infrastructure areas. The CISA has already taken some steps toward this future through its software supply chain security policies, such as Secure by Design. Find out what else is in the works by attending the talk.
Looking for something to do between talks? Come see RL at Booth #2660
Security leaders can stop by ReversingLabs' booth on the exhibition floor to chat with our experts about our powerful software supply chain security solution, RL Spectra Assure. Plus, we’ll have cookies (the good kind!).
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.