Software supply chains contain widely-used open source code that, when tainted by cybercriminals, can lead to widespread and perennially-lurking vulnerabilities
The most recent high-profile cyberattack — where an initial supply chain infiltration led to Uber Technologies having sensitive information such as customer addresses, email addresses, and license numbers breached — reminds us that cybercriminals are getting very good at attacking any weak links in the supply chain.
In software development, the supply chain is similarly vulnerable to attacks as threat actors infiltrate open source communities to distribute malicious payloads that end up in finished software applications.
Of all the experts, Peter Chestna, CISO, Checkmarx North America should know — his firm deals in application security and has witnessed the trend.
CybersecAsia.net finds out from Chestna how organizations can tighten up their software supply chain security.
CybersecAsia: What has caused the increase in attacks targeting supply chains?
Peter Chestna (PC): Competitive pressures have led to tighter production cycles for developers, increasing their reliance on open source software, while at the same time introducing more errors as projects become increasingly rushed.
With this trend increasing, open source software supply chains are viewed by attackers as a path of least resistance. Attackers have been shifting their attention to the software supply chain by abusing open source software ecosystems, which have traditionally been trusted by the worldwide developer community.
One can expect to see attackers ‘contributing’ to open source communities more frequently by injecting malicious payloads directly into open source packages, with the goal of exploiting this tainted code at a later date.
CybersecAsia: How do attackers exploit weaknesses in the supply chain to make money?
Malicious actors can monetize attacks on software supply chains for crypto mining, data exfiltration, and ransomware attacks. Each method of attack is monetized differently.
- Typosquatting: Attackers purposely misspell package names, which are often the common typos, hoping developers will make a mistake, or accidently grab a package that looks very similar to the one they are searching for.
- Dependency confusion: This attack method (also called a supply chain substitution attack) involves getting a software installer script to pull a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
- Chainjacking: While typosquatting involves intentionally misspelled package names, chainjacking involves the use of an outdated or abandoned username linked to an open source repository. How? Developers routinely contribute software code and packages to public registries. They sometimes need to change the username linked to an existing repository. The old username is abandoned, and this is where attackers can hijack a trusted but abandoned username for distributing malicious packages to the people in the community who are unaware of the change.
CybersecAsia: How can organizations protect themselves from such attacks?
PC: Preparing for supply chain attacks is best done by building good hygiene habits in the software development life cycle.
Teams should measure and manage their technical debt with a regular update and paydown cycle.
When updating open source becomes a well-rehearsed process, updating under the pressure of the discovery of malicious code or the announcement of a Common Vulnerability and Exposure becomes easy.
Also, organizations must mature the measurement and management of open source software. While open source has many benefits, it poses significant risk if the processes of using such code are not monitored and managed well.
Having the right tooling to provide the needed telemetry, combined with strong engineering practices and security controls, is essential to understanding and managing the risks.
Developers can leverage application security solutions to safeguard their environments against a number of supply chain attacks by running in the background, helping development teams to build a process for vetting open source packages for not only known vulnerabilities, but also for malicious packages.
CybersecAsia: What can we learn from recent attacks?
PC: Organizations should pay close attention to the latest advancements in supply chain security. The supply chain levels for software artefacts (SLSA) framework is a great place to educate organizations on supply chain best practices.
Recently the National Institute of Standards and Technology published a full overview of cyber supply chain risk management that helps organizations understand the different roles and responsibilities of employees to help protect the supply chain. This is a great compendium of cyber lessons learned.
Also, many attacks on the Log4Shell vulnerability offer lessons that the industry has put into practice. The open source Java package or library contained a vulnerability that allows attackers to execute malicious code on the servers that are vulnerable. The time from disclosure to exploit was very short, and the severity of the vulnerability was very high.
Most companies struggled not only with their first party code but also with their commercial off-the-shelf applications from vendors. It was incredibly disruptive. On hindsight, organizations need to prepare for the next incident today by learning from the pains and struggles of the Log4Shell vulnerability.
CybersecAsia thanks Peter Chestna for his insights on application security and software supply chain best practices.