A new security vendor report on the software supply chain says attacks on open-source and commercial software will continue to increase in 2023.
However, the report’s authors also believe that an increase in security measures developers are taking — particularly on open source platforms such as Github, NPM, RubyGems and PyPI — may be slowing that growth.
The findings came in a report on the state of supply chain security Released on Monday by ReversingLabs. (registration required)
The report states that to bridge the gap in both monitoring and detection of supply chain threats and attacks, software developers should investigate open-source risks and better coordinate work between development teams and security operations centers (SOCs). should do.
“Nearly two years after news broke of the SolarWinds hack, the software supply chain extends for the first time
The authors noted that there has been no sign of a decrease in attacks.
“In the commercial sector, attacks leveraging malicious open-source modules continue to
to multiply. Enterprises see exponential growth in supply chain attacks from 2020
And a slower, but still steady increase in 2022.
“The popular open-source repository npm, for example, saw close to 7,000 malicious package uploads from January to October of 2022 – a nearly 100-fold increase from 75 malicious packages discovered in 2020 and 40 percent of all packages discovered in 2021. growth .
“The Python Package Index (PyPI) was also filled with corrupted open-source modules
Designed to mine cryptocurrencies and plant malware, among other things.”
The report said several high-profile organisations, including Samsung and Toyota, found themselves embarrassed by secrets exposed through open-source repositories, created either internally or by third-party contractors.
The report said that open source platforms and governments have responded. For example, new federal guidance went into effect in the US to tighten supply chain security. It included a practice guide for software suppliers to the federal government issued by the Enduring Security Framework (ESF) Software Supply Chain Working Panel. In September, a memo from the Office of Management and Budget required software firms to certify the security of software and services they license to executive branch agencies.
In 2023, software publishers with US federal contracts will need to clear a higher bar
For software security to meet new guidelines, including certifying security
Their code and — in some cases — software generates a bill of goods that provides a roadmap for tracking down supply chain threats, the report said.
“Given that the threat of supply chain attacks extends beyond publishers who sell [U.S.] The federal government, all organizations that develop software will need to take similar steps to stay ahead of these threats,” the report said.
Yet there are major challenges. The report states that GitHub’s security team has reviewed approximately 9,300 vulnerabilities in GitHub modules across all languages and issued advisories. But more than 177,000 advisories related to GitHub modules have not been reviewed, many with a “critical” rating. These advisories, which account for 95 percent of the total vulnerability count, are not associated with Github’s DependBot service, so no warnings will be issued for them, the report notes.
The report also notes that this year saw the emergence of so-called “protestware”, in which maintainers of legitimate applications decide to weaponize their software in the service of a greater cause. In January, for example, with a dependency on a downstream application
Popular npm libraries called ‘colors.js’ and ‘faker.js’ found their applications to be stuck
An infinite loop, printing ‘Liberty ‘Liberty Liberty’ followed by a sequence of gibberish non-ASCII characters. The incident was deliberate—an act of protest by the maintainer “Square” against what he perceived as uncompensated use of his libraries by for-profit firms.
The report states that application development teams can take four steps to address the growing risks of the software supply chain:
Go beyond a focus on vulnerability management and code quality to include development
supply chain threats such as malware, malicious insiders, and other continuous integration compromises that could lead to unauthorized code changes;
Bring together release engineers and security engineers to coordinate them
activities. Security operations centers need to follow attackers as they broaden their mandate to include monitoring software supply chain threats as part of their overall risk monitoring;
-Increased focus on finding and closing open-source risks;
Invest in proactive threat hunting.