The Linux Foundation Member Summit 2021

The software supply chain introduces multiple complexities that are compounded by the velocity of modern agile and DevOps practices. The volume of third-party code from a growing number of unknown sources far outweighs proprietary, custom code. This proliferation of third-party software in modern applications is a boon for developers but introduces gaps in visibility and governance. More recently, attackers have become more savvy in that, instead of attacking businesses directly, they will target the software supply chain attacks as a vehicle for malicious code penetrating vulnerable systems. Dependency confusion is a prominent example of how attackers can piggy-back on top of native package managers within the software supply chain as an attack vector to accessing sensitive data. In this talk, Adam Schaal, Director of Enterprise Security at Contrast Security will share his experiences validating and disclosing a dependency confusion vulnerability in Microsoft Teams as a case study to enterprises should consider safeguarding their third-party software assets.