TMI newsletter 23 – Supply-Chain Security: Evaluation of Threats and Mitigations


With Dry January over, we can provide you with another newsletter with increased energy, mental health, and better concentration, which is why the topics for this month are again aimed at increasing your threat modeling capacity.

The TMI line-up for this month:

  • This month’s guest article is a contribution by Hashimoto Waturu, on how to evaluate threats and mitigations in supply chain security.
  • A Toreon blogposts that will give you some efficient insights on how to optimize notetaking during threat model assessments
  • Tips & tricks provides you with yet another useful tool to enhance your workflow.

Supply-Chain Security: Evaluation of Threats and Mitigations

We are grateful to have the permission to use this guest article pointer in our newsletter, here is a summary with a link to the original Mercari article:

  • This blog details our research into attacks and mitigations related to supply chain security, and more practical applications of supply chain security. In our research, we took an approach that leveraged a more concretely defined pipeline model than existing frameworks currently in use.
  • We examined the effectiveness of each countermeasure related to supply chain security based on the premise that “the point of attack injection does not necessarily coincide with the point of execution”. In particular, we clarified the limited effectiveness of recently trending countermeasures such as a software bill of materials (SBOM) which are often adopted without much thought given to their actual efficacy as a solution.
  • Based on the results of our threat modeling, we proposed the need for a centralized CI pipeline that takes care of operations related to supply chain security through a single point of entry. A centralized CI pipeline can better enforce security requirements to developers, and replace pipelines where responsibility for security ends up delegated to the individual developers of each component in the pipeline.

I’m Hashimoto Wataru, an intern working in Mercari’s Security Engineering Team.
In this blog post, I’ll be talking about the main topic of my internship at Mercari—supply chain security. Modern software services use many automated processes (CI/CD pipelines). These processes are continuously triggered throughout the development process all the way from developers writing code, to when the software itself is actually built, released, and deployed. These processes are built upon many dependencies both internal and external. Due to these dependencies, supply chain attacks can both directly and indirectly target each step of the pipeline. The number of supply chain attacks has been increasing every year, and the severity and impact of these types of attacks is becoming greater.

Mercari uses a large number of services and various CI/CD tools that have many dependencies, and is by no means immune to these kinds of attacks.

In April 2021, Mercari was directly affected by such an incident due to the compromise of an external code coverage tool included in our CI/CD pipeline. As a result of this incident, we decided to review the security risks related to our supply chain and improve security measures in this area.

>>> Link to the article. <<<


In this blog, we enumerated various attack methods and mitigations against a concrete pipeline model in order to demonstrate that there is no single perfect measure to ensure supply chain security.

An SBOM is not a silver bullet, and an attestation does not provide an absolute guarantee. Each of these mitigations should be considered to be a single component in a multi-layered defense. That is why it is important to define the necessary requirements clearly and layer your defenses as much as possible. However, this area of research is in its early stages, there are still active discussions, requirements are being reviewed, and related tools are still under development. Therefore, it would be dangerous to blindly trust the proposed frameworks.

It is a necessary and meaningful process to take a fresh look at the pipeline we are using and rethink from the ground up what each of the proposed requirements can and cannot prevent, and how they can be applied and operated in the real world.

Various communities are conducting reviews of supply chain security from their own perspectives. It is our hope that they will complement each other and mutually improve upon each other’s missing perspectives and practicality.

Thank you for reading, if you have any comments or corrections regarding this blog, let us know.


This blog was written with the assistance of the Security Engineering team as a product of my security internship at Mercari. In particular, I’m grateful for the support of Hiroki Suezawa who provided me with a lot of knowledge in many of the areas covered in this blog.
Also a special thanks to Takashi Yoneuchi of Flatt Security Inc. who provided us with a great opportunity to discuss overall supply chain security together. Last but not least, thank you to the Mercari CI/CD team who gave me a lot of insight from the perspective of actual operations.

Curated threat modeling content

Tips & Tricks is a (free) downloadable drawing application that can be run on most operating systems. There are some great tutorials available on their website that can help you create fantastic data flow diagrams:

Toreon blog post: The importance of accurate notes during threat model meetings by Cesar Peeters.

In this blog, Toreonite Cesar Peeters explains why it’s an important task for junior consultants, and how at Toreon, we have adapted our note-taking process so junior employees can learn during the process of creating meeting notes.

We aim to make this a community-driven newsletter and welcome your input or feedback. If you have content or pointers for the next edition, please share them with us.

Kind regards,
Sebastien Deleersnyder
CTO, Toreon

Book a seat in our upcoming trainings

  • Threat Modeling Practitioner training, hybrid online, hosted by DPI (cohort starting on 27 February, 2023)
  • Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Insomni’hack, Lausanne (21-22 March, 2023)
  • Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by HITB, Amsterdam (17-18 April, 2023)
  • Threat Modeling Practitioner training, hybrid online, hosted by DPI (cohort starting on 8 May, 2023)
  • Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat USA, Las Vegas (5-8 August, 2023)

We also organize in-company training for groups as of 10 participants.

Start typing and press Enter to search

Shopping Cart