:
Skip Navigation
Webinar | On Demand

How to Avoid the ‘Dependency Confusion’ Software Supply Chain Hack

Revealed in March 2021, 35 global technology companies were hacked via the ‘Dependency Confusion’ method. Here’s what you can do to protect against future attacks.

When an ethical hacker announced he’d successfully breached 35 technology company’s vulnerable software supply chains, including Apple, Microsoft and Netflix, it was no surprise to Sonatype.

Our research team detected over 300 suspicious packages back in 2020, led by Alex Birsan’s research efforts. We added these components to our data, alerted the community, and have been actively protecting customers ever since.

By taking advantage of a novel concept known as ‘dependency confusion’ aka ‘namespace confusion’, Birsan pushed his research packages downstream in an automated fashion to the development environments of multinational technology companies. The method he described is now widely deployed by other actors, with 1444% growth in similar packages in a week since he published his findings.

In this 30 minute webinar, Ax Sharma, Security Researcher and Advocate, Brian Fox, CTO, and Ilkka Turunen, Field CTO, discuss the events that led to the breaches, how this particular method of software supply chain attack is so simple, and yet so effective and what you can do about it to avoid exposure in the future.

Additional topics covered include: 

  • Ethical hacking: why organizations can pay upwards of $100k a breach

  • How Sonatype detected and protected 

  • Clear steps on how to avoid future attacks

Speakers

Headshot_Hexagon_Ax_Sharma@2x

Ax Sharma

Security Researcher and Advocate

Ilkka Turunen

Ilkka Turunen

Field CTO

Headshot_HExagon_Brian_Fox-removebg-preview-1

Brian Fox

CTO