In April 2024, a Microsoft engineer happened to stumble across a concerted attack on a low-level utility library relied upon by dozens of Linux distributions. The multi-year attack in execution since 2021 is described as one of “the best executed supply chain attack” and how can you. But what is a “Supply Chain” with respect to technology and how do you secure your company?

This article explores both in detail from the perspective of a technology executive.

The XZ Utils Attack

XZ Util backdoor tracked as CVE-2024-3094 … I wont get into what XZ is, other than to say it’s a low level innocuous looking library relied upon by dozens of Linux distributions

Why you should chare

The software supply chain

Securing your Software Supply Chain (“triple-S-C”, or “3SC”)

High Level Architectures?

Why should a technology executive care?

• talk about . If the backdoor vulnerability wasnt discovered by chance from a security-minded engineer, the remote code execution ability would have been catastrophic.

• talk about CVSS scoring… 10 = VERUY VERY BAD>

What can you do about it?

• solutions such as chainguard, binary authorization!