EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securitysupply-chainSolarWindscontainer-security

Cloud Supply Chain Security & Third-Party Risk Management

The SolarWinds and XZ Utils attacks demonstrated that trusted software is a high-value attack vector. Cloud environments extend the supply chain to container images, infrastructure modules, CI/CD pipelines, and SaaS integrations — each requiring specific controls.

Ashish Revar3 July 202620 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

CISA Software Supply Chain Security Guidance

CISA comprehensive guidance on securing software supply chains.

NIST SP 800-204D: Securing Cloud-Native Applications

NIST draft guidance on supply chain security for cloud-native microservices.

GitHub Actions Security Hardening

GitHub official guidance on securing CI/CD workflows using OIDC and minimal permissions.

Sigstore: Code Signing for the Cloud Supply Chain

Open-source tooling (cosign, rekor, fulcio) for signing container images and binaries.

More articlesTest your knowledge

The Extended Cloud Supply Chain

In traditional IT, the software supply chain ended at the application binary. In cloud environments, the supply chain includes:

ComponentSupply Chain RiskExample Incident
OS base imagesUnpatched CVEs, backdoored imagesMultiple malicious Docker Hub images with crypto miners
Third-party librariesDependency confusion, typosquattingevent-stream npm package backdoor (2018)
Infrastructure-as-Code modulesMalicious Terraform module executionAttackers publishing malicious modules to Terraform Registry
CI/CD pipeline integrationsGitHub Actions, Jenkins plugins with malicious behaviourCodecov bash uploader tampered (2021)
SaaS integrationsOAuth tokens with excessive scopeThird-party app stores data beyond stated purpose
Cloud provider servicesProvider's own software supply chainSolarWinds SUNBURST (2020): software update mechanism

The SolarWinds Attack: A Cloud Supply Chain Case Study

In December 2020, it was discovered that the SolarWinds Orion network monitoring platform — used by 18,000+ organisations including US government agencies — had been compromised during the software build process. A malicious DLL (SUNBURST) was inserted into the legitimate build pipeline and signed with SolarWinds' code signing certificate.

Cloud-specific impacts:

  • Attackers used SUNBURST to steal SAML token signing certificates from Microsoft Active Directory Federation Services
  • These certificates allowed forging SAML assertions for any Azure AD user without their credentials
  • The attacker could authenticate to Microsoft 365 as any user in the organisation without knowing their password
  • The attack was detected months after initial compromise

Lesson for cloud security: Signing certificates — whether for code, SAML, or TLS — are crown jewels. Compromise of a signing certificate bypasses all authentication controls.

Container Image Supply Chain

Container images are layered filesystems. Most production container images start from a public base image (ubuntu:22.04, python:3.12, node:20-alpine). Any vulnerability in the base image is present in every image built from it.

Secure container image pipeline:

Developer commits code
      ↓
CI pipeline pulls base image
      ↓
Scan base image (Trivy / Grype) → Block on Critical/High CVEs
      ↓
Build application layer
      ↓
Scan final image
      ↓
Sign image (cosign / Notary v2)
      ↓
Push to private registry (ECR, ACR, GAR) with OCI signing
      ↓
Admission controller (OPA Gatekeeper / Kyverno) verifies signature before deploy
      ↓
Runtime monitoring (Falco) alerts on unexpected syscalls

Key principle: Never pull and run an image that has not been scanned and signed by your pipeline. The latest tag on Docker Hub is a high-risk tag — it changes silently.

Dependency Confusion and Typosquatting

In a dependency confusion attack, an attacker publishes a malicious package to a public registry (npm, PyPI) with the same name as an internal private package. Package managers that check public registries before private ones install the attacker's version.

Mitigation:

  • For npm: use a .npmrc with @scope:registry=https://internal-registry and registry=https://registry.npmjs.org scoped to your namespace
  • For pip: use --index-url pointing to your private repository; disable --extra-index-url
  • For Terraform: pin module versions and use terraform_wrapper or a private module registry

Typosquatting (e.g., publishing requets instead of requests) exploits developer typos. Use pip-audit, npm audit, and Dependabot to catch known-bad packages.

CI/CD Pipeline Security

The CI/CD pipeline has root-equivalent access to your cloud environment. It can deploy code, modify infrastructure, and read secrets. This makes it a high-value target.

CI/CD RiskControl
Secrets in environment variablesUse cloud-native secrets (AWS SSM, Vault); never store in CI config
Pipeline runs on shared runnersUse self-hosted runners for sensitive operations; harden the runner OS
PR triggers CI that accesses productionGate production deploys on branch protection and manual approval
Third-party GitHub Actions with broad permissionsPin Actions to SHA not tag; use permissions: read-all by default
OIDC not configured (long-lived access keys used)Replace with OIDC; rotate any remaining keys every 90 days

Third-Party SaaS Integration Risk

Every SaaS application connected to your cloud environment via OAuth expands your attack surface. When an employee connects their Slack workspace to a third-party app that requests files:read and admin.users:read, that app can access all Slack files and user data.

Control approach:

  • Maintain an approved SaaS integration list
  • Require security review before approving new OAuth integrations
  • Use CASB (Cloud Access Security Broker) to detect and control SaaS connections
  • For critical SaaS (Salesforce, Workday, GitHub Enterprise), enforce SSO through corporate IdP — do not allow direct password login