7 votes

SolarWinds: The untold story of the boldest supply-chain hack ever

2 comments

  1. aditya
    Link
    SolarWinds introduced Project Trebuchet as a response to this hack where they showed off a more resilient build setup. IIRC, this was the keynote for 2021's Open Source Summit as well. Trebuchet...

    SolarWinds introduced Project Trebuchet as a response to this hack where they showed off a more resilient build setup. IIRC, this was the keynote for 2021's Open Source Summit as well. Trebuchet uses in-toto attestations for software provenance and reproducible builds semantics to defend against build-time compromises.

    The software supply chain security space as a whole as blown up since SUNBURST came to light. The OpenSSF has a bunch of projects and working groups focused on related efforts as does the CNCF. SLSA's a key framework that's grabbed some headlines in recent months with the v1.0 release and so on. I suspect we're some way off from seeing broad adoption of all the new tooling and practices though.

    I'm personally very excited about all of this. I'm studying software supply chain security as part of my PhD and I'm one of the maintainers of in-toto.

    5 votes
  2. akkartik
    Link
    "The attackers were in thousands of corporate and government networks. They might still be there now."

    "The attackers were in thousands of corporate and government networks. They might still be there now."

    3 votes