Attacks on open-source and commercial software will continue to rise in 2023, says a new security vendor report on the software supply chain.
However, the authors of the report also believe that the increased security measures developers are taking — particularly on open source platforms like Github, NPM, RubyGems and PyPI — may slow that growth.
The conclusion comes in a report on the state of supply chain security issued Monday by ReversingLabs. (Registration required)
To bridge the gaps in both the monitoring and detection of supply chain threats and attacks, software developers must scrutinize open-source risks and better co-ordinate work between development teams and security operations centers (SOCs), the report says.
“Almost two years after word of the SolarWinds hack first spread, software supply chain
attacks have shown no sign of abating,” the authors note.
“In the commercial sector, attacks that leverage malicious open-source modules continue
to multiply. Enterprises saw an exponential increase in supply chain attacks since 2020,
and a slower, but still steady rise in 2022.
“The popular open-source repository NPM, for example, saw close to 7,000 malicious package uploads from January to October of 2022 — a nearly 100 times increase over the 75 malicious packages discovered in 2020 and 40 per cent increase over all packages discovered in 2021.
“The Python Package Index (PyPI) was also flooded with tainted open-source modules
designed to mine cryptocurrency and plant malware, among other things.”
A number of high-profile organizations including Samsung and Toyota found themselves embarrassed by secrets exposed through open-source repositories that were maintained internally or by third-party contractors, the report adds.
Open source platforms and governments have responded, the report notes. For example, in the U.S., new federal guidance for tightening supply chain security came into effect. That included a practice guide for software suppliers to the federal government issued by the Enduring Security Framework (ESF) Software Supply Chain Working Panel. In September, a memorandum from the Office of Management and Budget required software firms to attest to the security of software and services they license to executive branch agencies.
In 2023, software publishers with U.S. federal contracts will need to clear higher bars
for software security to meet the new guidelines, including having to attest to the security
of their code and — in some cases — produce a software bill of goods that provides a roadmap for tracking down supply chain threats, the report says.
“Given that the threat of supply chain attacks goes beyond publishers that sell to the [U.S.] federal government, all organizations that develop software will need to take similar steps to keep ahead of these threats,” the report says.
Yet there are great challenges. The report notes that GitHub’s security team has reviewed and issued advisories for almost 9,300 vulnerabilities in GitHub modules across all languages. But more than 177,000 advisories related to GitHub modules remain unreviewed, many with “critical” ratings. These advisories, which constitute 95 per cent of the total vulnerability count, aren’t connected to Github’s Dependabot service, so no warning will be issued for them, the report notes.
The report also points out that this year so-called “protestware” emerged, in which maintainers of legitimate applications decide to weaponize their software in service of some larger cause. In January, for example, downstream applications with dependence on the
popular NPM libraries called ‘colors.js’ and ‘faker.js’ found their applications caught in
an infinite loop, printing ‘LIBERTY ‘LIBERTY LIBERTY’ followed by a sequence of gibberish non-ASCII characters. The incident was intentional — an act of protest by the maintainer “Squires” for what he perceived as uncompensated use of his libraries by for-profit firms.
The report says application development teams can take four steps to combat growing software supply chain risks:
–go beyond focusing on vulnerability management and code quality to encompass growing
supply chain threats like malware, malicious insiders, and other continuous integration compromises that can lead to unauthorized code changes;
–bring release engineers and security engineers together to co-ordinate their
activities. Security operations centers need to follow attackers as they shift left, broadening their mandate to encompass monitoring of software supply chain threats as part of their overall risk monitoring;
–increase focus on finding and closing open-source risks;
–invest in proactive threat hunting.