Supply Chain Attacks:- Focused on NPM attacks.
Supply chain attacks or attacks on open-source software are spreading like no other disease. It includes examples like Dependency confusion, log4j, NPM attacks, Gem attacks on ruby, and A LOT of examples.
Danish Tariq is a Security Engineer by profession and a Security researcher by passion. He has been working in Cyber Security for over 8 years and it all started out of a curiosity to break things and look deep down into those things (physical or virtual) back in his teenage years. His major expertise is Penetration Testing and Vulnerability Assessments.
- He was also involved in bug bounty programs as well, where he helped many companies by finding vulnerabilities at different levels. Companies include Microsoft, Apple, Nokia, Blackberry, Adobe, etc.
- Spoke @ BlackHat MEA 2022 (Briefing: Supply-Chain Attacks)
- Featured in "The Register" for an initial workaround for the NPM dependency attacks.
- Certified Ethical Hacker, Certified Vulnerability Assessor (CVA), Certified AppSec Practitioner, Certified Network Security Specialist (CNSS), IBM Cyber Security Analyst
- Ex-Chapter Leader @ OWASP
- Ex-Top Rated freelancer (Information security category) on Upwork
- Recent security research and CVEs include
- CVE-2022-2848 & CVE-2022-25523
- Served as a Moderator @ OWASP 2022 Global AppSec APAC.
This talk would be focusing on the What, Why, and How of this. Talking about the impact of the supply chain attacks as the weakest link in the chain and how to prevent them.
It would include Extensive internet scanning of NPM packages to find ones prone to account takeover [+ impact identification and defense]