Cheryl Biswas is a Strategic Threat Intel Analyst with TD bank in Toronto, Canada. She found her way into InfoSec through a helpdesk backdoor and pivoted into roles for vendor and change management, jumped a gap into privacy and DR/BCP, then laterally moved into security audits and assessments. Her degree in Political Science has evolved into researching APTs, botnets, ransomware and more. Cheryl is actively involved in the security community as a conference speaker and volunteer, mentors those entering the field, and encourages women and diversity in Infosec as a founding member of the "The Diana Initiative."All
Signed, Sealed, Delivered: Abusing Trust in Software Supply Chain Attacks
As Marc Andreesen so aptly noted “Software is eating the world”. Our technology-driven world increasingly relies on third party code, open source libraries and shared repositories. We don’t fully appreciate just how interconnected we are, and how that translates into software code dependencies. It took an event like the SolarWinds Orion attack to rattle the bars on that cage, and wake us up to what’s been going on for some time. The reality is that software supply chain attacks aren’t new. They’ve been around for many years, and we’ve been watching that check engine light but not really addressing the issues. Recent attacks show how easy it is to create confusion and send malicious code undetected through automated channels to trusting recipients. SolarWinds delivered a hard truth to defenders: everyone is vulnerable when trust can be abused. Where is the weakest link in your software supply chains of trust?