With the Taiwan presidential election underway, cyber attacks by Chinese hacker groups against Taiwan have become more frequent. Recently, we investigated a supply chain attack targeting Taiwan, which focused on a widely used document tool in Taiwan that is not only prevalent in government agencies but also heavily utilized in government, legal and academic institutions, potentially affecting over 500,000 victims. In this attack, we also discovered traces of malware from many Chinese threat group. The attackers compromised update servers to deliver malware to victim endpoints and remained undetected for several years.

From this attack, we also reviewed the past decade, from Operation GG to recent supply chain attacks targeting financial institutions. We conducted in-depth analysis on various supply chain attack techniques from both software development processes and supply chain service processes, including supply chain software vulnerabilities, implanting malware into normal programs, island hopping attacks, and out-sourcer leakage. We analyzed the causes of supply chain incidents and defense mechanisms. Additionally, we will introduce how we have utilized AI in the past few years to assist analysts in conducting incident investigations.

In today's global cybersecurity landscape, the Software Bill of Materials (SBOM) has become a focal point for enterprises. This presentation will delve into the practical applications, technical challenges, and industry insights of SBOMs, covering aspects such as process management, cross-departmental collaboration, and supply chain integration. Through case study sharing, we will unveil the significance of SBOMs in software management, component tracking, and vulnerability assessment, underscoring the balance between automation and manual review. We will explore the role of SBOMs as part of a comprehensive security strategy, offering strategies to avoid common pitfalls and adopt best practices. Additionally, we will introduce the latest specifications of the SPDX international standard to enhance software security and management efficiency.

The IT department evaluates/purchases many information equipment and systems every year.But in addition to basic functional testing, have you also conducted security testing on these systems? The speaker will share past experiences in information system security assessment and testing in corporate IT units, included in Known/undisclosed vulnerabilities and mining methods during the security testing process, as well as assessment of the manufacturer's vulnerability patching capabilities, etc.

In recent years, the sudden increase in regulatory demands within the cybersecurity domain has presented manufacturers, supply chains, and brand merchants with a critical decision: whether to fully outsource their cybersecurity needs or to establish in-house laboratories to address these demands. How should one select a service provider? Which tools should be chosen? Is it necessary to engage vendors for penetration testing? Should third-party supervisory consultants be hired? How can one manage their supply chain requirements effectively?

This session will skip over the basic introductions and dive directly into the decision-making and risks associated with various cybersecurity certification processes. We'll explore which requirements are manageable through outsourcing, which phases are prone to unexpected challenges, the details to consider when selecting auxiliary tools, and strategies for the ongoing maintenance of information security during the product lifecycle or internal staff training directions, among other topics. Extensive scenario analysis and experience sharing will be featured throughout this presentation.

On November 1, 2023, FIRST officially released CVSS 4.0. CVSS is not only one of the most important indicators in the information security industry, but also an important reference information for users when facing vulnerabilities.

This speech will introduce the concept of CVSS and the changes in CVSS 4.0. In the future, when viewers encounter CVSS scores, they will not just see them as numbers to better understand the meaning behind them. In addition, we will mention some details that are often overlooked in CVSS, such as: 50% of CVEs are CVSS 7 or above, only a few CVEs with high/severe severity are exploited, and the reasons why CVSS scores are generally high.

Finally, through simulation examples, the audience is guided to analyze a vulnerability, analyze various CVSS indicators, and use the CVSS calucator to calculate scores.