Revealed in March 2021, 35 global technology companies were hacked via the ‘Dependency Confusion’ method. Here’s what you can do to protect against future attacks.
When an ethical hacker announced he’d successfully breached 35 technology company’s vulnerable software supply chains, including Apple, Microsoft and Netflix, it was no surprise to Sonatype.
Our research team detected over 300 suspicious packages back in 2020, led by Alex Birsan’s research efforts. We added these components to our data, alerted the community, and have been actively protecting customers ever since.
By taking advantage of a novel concept known as ‘dependency confusion’ aka ‘namespace confusion’, Birsan pushed his research packages downstream in an automated fashion to the development environments of multinational technology companies. The method he described is now widely deployed by other actors, with 1444% growth in similar packages in a week since he published his findings.
In this 30 minute webinar, Ax Sharma, Security Researcher and Advocate, Brian Fox, CTO, and Ilkka Turunen, Field CTO, discuss the events that led to the breaches, how this particular method of software supply chain attack is so simple, and yet so effective and what you can do about it to avoid exposure in the future.
Additional topics covered include:
-
Ethical hacking: why organizations can pay upwards of $100k a breach
-
How Sonatype detected and protected
-
Clear steps on how to avoid future attacks
Speakers
Ax Sharma
Security Researcher and Advocate
Ilkka Turunen
Field CTO
Brian Fox
CTO