The practice described—creating a registry of software dependencies and hashing vetted packages—is a direct countermeasure against supply chain attacks. A software supply chain attack involves compromising a third-party component, such as a library or package, which is then incorporated into the target organization's systems. By maintaining a registry (a form of Software Bill of Materials or SBOM) and using hashes for integrity checking, the organization can verify that the software components they use are the authentic, vetted versions. This helps detect unauthorized modifications and facilitates rapid incident response by quickly identifying all systems that use a compromised or vulnerable package.

B. Cipher substitution attack: This is a cryptographic attack targeting weaknesses in ciphers, which is unrelated to managing the integrity of software dependencies.

C. Side-channel analysis: This attack exploits information leaked from a system's physical implementation (e.g., power consumption), not vulnerabilities within its software components.

D. On-path attack: This attack intercepts network traffic. While it could be a vector to deliver a malicious package, the registry addresses the package's integrity, which is a supply chain concern.

E. Pass-the-hash attack: This is an authentication attack that uses a stolen credential hash to access network resources and is unrelated to software package management.

---

1. National Telecommunications and Information Administration (NTIA). (2021). The Minimum Elements For a Software Bill of Materials (SBOM).

Section: "What is an SBOM?" (Page 4): "A Software Bill of Materials (SBOM) is a nested inventory

a list of ingredients that make up software components... SBOMs are particularly useful in vulnerability management. When a vulnerability in a particular component is discovered

an SBOM allows an organization to easily determine if they are impacted and take action." This directly supports the scenario's use of a dependency registry for incident response.

2. National Institute of Standards and Technology (NIST). (2022). SP 800-161 Rev. 1

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.

Section 2.3.2

"Threats" (Page 13): This section details threats to the supply chain

including the "installation of malicious or counterfeit hardware or software." The use of hashes to verify vetted packages

as described in the question

is a direct control against this threat.

3. Parno

B.

& Jackson

C. (2022). 6.858 Computer Systems Security

Fall 2022 Lecture 15: Web Security. MIT OpenCourseWare.

Slide 47

"Software supply chain attacks": This lecture material defines supply chain attacks as compromising upstream dependencies (e.g.

libraries) that are then used by downstream developers. The scenario's focus on a "commonly used package" aligns perfectly with this definition.

4. National Institute of Standards and Technology (NIST). (n.d.). Glossary: Pass the hash. Computer Security Resource Center.

The glossary defines pass-the-hash as a technique where an "adversary steals a hashed user credential and

without cracking it

reuses it to trick an authentication system into creating a new authenticated session on the same network." This confirms its irrelevance to the scenario.