Erosion of Trust: Unmasking Supply Chain Vulnerabilities in the Terraform Registry
Last fall, my security research team at BoostSecurity published two articles on supply chain security, initiating an in-depth exploration of the Supply chain Levels for Software Artifacts (SLSA) model. Our first article, “SLSA dip — At the Source of the problem!” concentrated on Source Control Management (SCM) systems like GitHub. There we analyzed the role of SCMs in the supply chain from both Red Team (Attackers’) and Blue Team (Defenders’) perspectives, culminating in an attack tree built using Deciduous, an open-source security decision tree tool. Since then, we gave a talk entitled “Broken Links : Behind the scenes of Supply Chain breaches” at several conferences, including BSides NYC and NorthSec.