Dependence on software libraries and frameworks continue to grow in popularity. More scrutiny is being placed on reviewing the source code of these dependencies for security vulnerabilities, but little attention is being placed on software dependencies while in transit. In this talk, we will expose weaknesses in software delivery mechanisms and show how malicious software can be added/injected into popular software libraries during transit. We will also demonstrate the impact of these weaknesses using a newly developed tool and provide advice and guidance on defending against these attacks.
Brandon Myers is a Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has an interest in software development with a large focus on security. Brandon works in the SpiderLabs Research division as a member of the Vulnerability Assessment Team (VAT) where he helps develop the core engine for Trustwave’s Vulnerability Scanning Services.
Jonathan Claudius is a Lead Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 13 years of experience in IT with the last 11 years specializing in Security. At Trustwave, Jonathan works in the SpiderLabs Research Division as a member of the Vulnerability Assessment Team (VAT) where he develops the core engine for Trustwave's Vulnerability Scanning Services.