Savvy cyberattackers have turned their attention to the open source software supply chain as developers strive to innovate faster than ever, resulting in vulnerabilities. Shabir Bhat, Regional Sales Director, Middle East, Checkmarx, tells us why organisations must consider taking a proactive approach to defending against these attacks to ensure business as usual.
How and why have attackers shifted their focus to the open source software supply chain?
It’s the path of least resistance. Developers have more and more pressure pushed upon them to innovate faster and leveraging open source software helps them achieve this goal because it allows them to use code that’s already been written, saving them time. When developers pull open source into their organisation without due diligence, they are essentially inviting a stranger’s code into their organisation.
Moreover, very popular projects also provide tempting targets. For example, a package that was downloaded around eight million times every week was compromised by an account takeover attack which injected a malicious version of the package into the supply chain. You can imagine how much damage can be done very quickly.
Why is open source a viable target?
A significant portion of all code contains open source software, which exposes organisations to vulnerabilities. Checkmarx expects Tactics, Techniques and Procedures (TTPs) like dependency confusion, typosquatting, repository jacking (aka ChainJacking), and star jacking, to become imminent cyberattack methods due to issues with open source.
What are the hallmarks of successful supply chain attacks and what are the worst outcomes?
Successful supply chain attacks typically target the weakest link in the supply chain and usually involve the attackers replacing legitimate files with malicious files. These can result in several types of disastrous outcomes, such as ransomware attacks (Colonial Pipeline), SolarWinds (30K+ companies affected) and the like.
Could you share a few examples of different types of open source supply chain attacks?
Open Source supply chain attacks are designed to confuse developers. Some examples include:
Typosquatting: Attackers purposely misspell package names, which are often common typos, hoping developers will make a mistake, or accidently grab a package that looks very similar to the one they are searching for.
Dependency Confusion: A Dependency Confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
Chain Jacking: Developers often deploy software and packages to public registries for organisations, projects and other developers to implement; attackers using chainjacking techniques will emulate typosquatting techniques. However, they use a legitimate former name of a package developer rather than a similar name.
What is the best practice approach to defending against these attacks?
Companies need to provide their developers with proactive solutions to safeguard their development ecosystem. This means providing developers with solutions that allow them to treat open source code, with the same scrutiny as they treat their own proprietary code.
Also, solutions which address the use of open source code have to start with identifying the OSS packages being used, called directly by application code or included indirectly.
The next step is understanding if any of the packages being used contain vulnerabilities, prioritising vulnerabilities and providing information about mitigating them.
This is all part of Software Composition Analysis. Organisations are now demanding that SCA go further to include hunting for malicious packages in OSS dependencies.
What tools and technologies do organisations need to be able to take a proactive approach to defense?
Checkmarx offers three great open source products (Chain Alert, DustiLock and ChainJacking) that help developers safeguard their environments against a number of supply chain attacks. This technology is available in Checkmarx SCA and constantly runs in the background, helping enterprises build a process for vetting open source packages for not only known vulnerabilities, but for malicious packages too.
What advice would you offer organisations keen to develop a long-term strategy for protecting against these threats?
Organisations should pay close attention to the latest advancements in supply chain security. The SLSA Framework is a great place to educate organisations on supply chain best practices, and recently NIST published a full overview on C-SCRM (Cyber Supply Chain Risk Management) that helps organisations understand the different roles and responsibilities of employees to help protect the supply chain.
What role is Checkmarx playing in helping to keep organisations secure?
Checkmarx is constantly pushing the boundaries of Application Security Testing to make security seamless and simple for the world’s developers while giving CISOs the confidence and control they need.
As a leader in AppSec testing, we provide the industry’s most comprehensive solutions, giving development and security teams unparalleled accuracy, coverage, visibility and guidance to reduce risk across all components of modern software – including proprietary code, open source, APIs, software supply chain and infrastructure-as-code.
More than 1,600 customers, including nearly half of the Fortune 50, trust our security technology, expert research and global services to securely optimise development at speed and scale.
Checkmarx lets modern development practitioners incorporate open-source packages into their development process with zero friction while staying protected against modern supply chain attacks such as embedded backdoors and trojans. We include this in our Checkmarx Software Composition Analysis, Checkmarx Supply Chain Security (SCS) solutions.
The use of third-party software components is part of the modern software development culture with over 90% of engineering teams worldwide building and shipping software that uses external code, by far the most of it is open source code. Checkmarx facilitates extreme agility and allows developers to focus on their own code which differentiates their applications, it also increases the attack surface of organisations.
Unlike traditional approaches which are reactive since they wait for the attack to be exposed before taking action to secure your company, Checkmarx takes a proactive approach and actively scans the packages to avoid the risk and understand where your teams should focus remediation efforts.
Checkmarx Software Supply Chain Security provides a first of its kind solution for ahead of time detection of software supply chain attacks.Click below to share this article