133 / Supply chain attack
does polyfill.js mean all our sites will get pwned?

Explore how copy-paste coding practices using resources like bootstrap and polyfill.js pose security risks in web development. Understand how unnoticed changes in such external scripts, akin to past left-pad incidents, can compromise websites, affecting large platforms like Google Maps. Discover solutions including downloading resources locally and integrity checks, and compare software issues to recent physical supply chain attacks in Lebanon. Learn risk mitigation strategies like verifying supply chain integrity and testing inertial properties.

Timeline

00:00 Intro

00:49 Programming is just copy/paste

04:24 JS supply chain attack

04:36 Lpad attack

05:47 Polyfill attack

07:19 God mode answers

08:00 Code integrity check

11:26 Cloudflare VIP

13:03 Zerodays in the wild

15:25 Exploding pagers

18:57 Non-destructive testing

Participants

@fulldecent

William Entriken

@VjDeliria

Vj Deliria

@yodude38

???

@EllieVoxel

???

@t012n4d0

???

Episode notes

• Google Maps warning for polyfill.js
• Cloudflare incident response
• Cloudflare suspicion beforehand
• https://twitter.com/svensauleau
• https://twitter.com/MichaelTremante
• GitHub Fonts does not support SRI
• Stripe does not support SRI
• GSA does not support SRI
• US DoD guide to supply chain security