OWASP Meeting in Krakow - Supply chain in application security

Important note first: Unfortunately our previous venue - Techies' is temporarily closed, so this time we are meeting at Relativity office.

Our main topic for this meeting will be supply chain attack and defence. First our guest - Pedro Fortuna will introduce one of supply chain attacks - so called - resurected domains. Then we will host a discussion about how we can defend dependencies in our software to not be a victim of constantly growing supply chain attacks.

Agenda:

1. Dawn of the Dead - The Tale of the Resurrected Domains
2. Pedro Fortuna (CTO at Jscrambler)
3. Web applications’ strengths—composability, dynamic distribution, and error-tolerant runtimes—also make them highly vulnerable to supply chain attacks. The heavy reliance on third-party dependencies, especially dynamically loaded scripts, introduces risks as these scripts can be updated without site owners’ knowledge, bypassing integrity checks like SRI.
4. A major concern arises when third-party script hosts go offline, leaving their domains up for grabs. Attackers have exploited this by acquiring such domains to inject malicious code into linked websites. In one case, over 1,000 websites were compromised before researchers detected and neutralized the threat.
5. Following the incident, further research revealed the widespread nature of this attack vector, leading to the development of a tool capable of scanning millions of websites for similar vulnerabilities. The researchers also created a free tool to alert website owners if they are unknowingly using scripts from defunct, potentially hijacked domains. These findings and tools will be presented in the talk.
6. After the break, we will host a discussion about supply chain defence.
7. Unpacking the Web Supply Chain: Trust, Risk, and the Future of Secure Development
8. In today's fast-paced world of software development, how dependent have we become on third-party components? Has this reliance become more of a liability than an asset?
9. Is a completely self-reliant software ecosystem even possible, or will external risks always be a fundamental part of modern development? With the rise of AI and LLMs, how are software creation processes changing? What new supply chain threats are emerging because of these advancements?
10. Are traditional security measures like SBOMs, vulnerability management, and runtime security controls sufficient to address these evolving threats?
11. With dynamically updating scripts, lack of version control, gaps in CSP, SRI, and integrity monitoring, are enterprises sufficiently protected?
12. Can we truly trust the browser environment, or are we vulnerable to manipulated content?
13. What innovative strategies, like a zero-trust model, can better secure third-party JavaScript dependencies?
14. Looking ahead, what concrete actions are needed to enhance software supply chain security? Is regulation the answer, or could it create more challenges? Should the industry implement a standardized "seal of approval" for third-party components? Are security vendors, enterprises, and regulators doing enough to tackle this growing threat landscape?
15. Join us as we challenge assumptions, explore emerging solutions, and outline a path forward in securing the software and web supply chain.

Please RSVP and save the date!

If you have a minute, please share this invitation with friends and in your social media.