Abstract:<br>Modern software relies extensively on pre-existing code. From libraries<br>to build scripts, developing software is accelerated at a rapid pace<br>from the wide availability and functionality of open source code. This<br>abundance of building code blocks comes with additional security risks.<br>Aside from exploiting vulnerabilities found directly in the software,<br>perpetrators aim to compromise any indirect parts of the targeted<br>software, from build and deployment pipelines to third-party dependencies.<br><br>In this talk we focus on the security threats that rise from the<br>software supply chain. We will cover two specific aspects of software<br>supply chain attacks extensively: code dependencies and build pipelines.<br>In our first work, we present Mininode, a tool we created to reduce the<br>attack surface of Node.js applications by removing unused modules and<br>functions. Mininode uses static analysis to detect which parts of the<br>code are actually used and constructs a detailed dependency graph that<br>enables the reduction of unused code. In our second work, we study the<br>security of GitHub's continuous integration platform. We identify the<br>fundamental security properties that must hold for any CI/CD system and<br>examine if the popular CI/CD platforms enforce these properties. Our<br>work highlights potential attack vectors that can be used to compromise<br>the execution of workflows, consequently leading to supply chain attacks.<br><br>Bio:<a href="https://kapravelos.com/shortbio/">https://kapravelos.com/<wbr />shortbio/</a><br><br>Photo:<a href="https://kapravelos.com/public/prof.jpg">https://kapravelos.com/<wbr />public/prof.jpg</a>