ADA Logics

Supply-chain security

Over a few years, the software supply-chain has gone from being a largely ignored part of the development lifecycle to a deeply researched and utilized attack vector for adversaries. These adversaries discover new attack surface again and again as well as how to achieve massive impact. From a defenders point of view, your own stack can be secure, but if your supply-chain is left untouched, unexamined and unscrutinized, you don’t know what attackers know about an important piece of attack surface.

Development-stage risks

During development, you don’t process user data, you don’t use production keys, you don’t use production server credentials, yet, adversaries can still compromise your development pipeline to a degree where they can escalate their privileges to production.

Build and release

Build and release pipelines have many entrypoints and exposed attack surface that adversaries will use to compromise your system. This can result in compromised binaries or other artifacts that will allow adversaries to compromise your users.

Runtime and production

Your production deployment also has a supply-chain with security risk. Attackers can manifest themselves in your supply-chain in such a manner that they can compromise your production use case - even though your development, build and release pipelines are secure.

Your supply-chain’s supply-chain

You can have done your part to secure your own, internal supply-chain, but do you know how your dependencies treat their own pipeline? Do they have secure processes, or can an adversary escalate a position from your dependencies’ supply-chain into your systems?

Talk to us now about your supply-chain security