[ad_1]
Cyberattacks on the software supply chain will continue to grow in 2023. Accordingly, organizations will see a shift in how security teams approach cyber defense. This is according to a recent report by ReversingLabs, which assessed the impact of incidents in the software supply chain since the one at SolarWinds.
Impact 2020 SolarWinds the attack was widespread and deep. Suddenly, software supply chains have become playgrounds for cyber criminals to carry out lucrative cyber attacks, cyber espionage or simply make a statement.
In response to this new trend of finding and exploiting software supply chain vulnerabilities, security teams have also upped their game as the government irons out specific guidelines for securing the software supply chain under A permanent security framework (ESF), a public-private enterprise, and new legislation called the Open Source Software Assurance Act of 2022.
“These [software supply chain] attacks are fueled by practices and behaviors that are ubiquitous,” notes ReversingLabs in State of Software Supply Chain Security 2022-23 the report.
“Among them: heavy reliance on centralized cloud-based infrastructure; rapid DevOps practices that have greatly increased the pace of software releases, in part due to the heavy use of third-party commercial and open-source modules to accelerate development; and increased reliance on centralized automatic update mechanisms to facilitate rapid release cycles of modern cloud-based applications and services.”
Key software supply chain security trends observed over the past 12 months:
Trust open source software embedded with malicious code proves to be a security flaw for an organization. For example, attacks on npm and PiPI repositories have increased by 289% in the last four years.
Malicious packages have become a malignant presence in open source repositories, especially npm, which was found with as many as 7,000 malicious packages between January and October 2022. That’s 100 times the number in 2020 and 40% more than in 2021.
Malicious packages in NPM and PiPI | Source: ReversingLabs
npm repositories are choice of cybercriminals to propagate malicious code and infect downstream organizations. ReversingLabs said this is because npm repositories host more than 3.1 million projects, compared to 407,000 on PiPi and 173,000 on RubiGems.
specifically, typosquatting scamsthat is, the technique in which malicious actors publish a package whose name resembles the name of popular libraries has increased.
Protesters represents another risk to the software supply chain. Protest software emerged in 2022, when “maintainers of legitimate applications decide to weaponize their software in the service of some greater cause (be it personal or political)”.
Manipulation of npm libraries colors.js and faker.js (printed ”LIBERTY ‘LIBERTY LIBERTY” followed by a string of gibberish non-ASCII characters instead of the desired output) and an open source library node.ipc are some examples of protest software.
See more: Top tips for consumers and businesses to stay safe online this holiday season
Meanwhile, organizations may inadvertently leave sensitive information in repositories. “Only recently have we seen malicious attackers turn their attention to the software supply chain as they begin to recognize source code as a rich source of inadvertently embedded secrets that can be used for further attacks,” noted ReversingLabs security analyst Charlie Jones.
Some of the organizations that have been “embarrassed” by the presence of sensitive information such as source code, credentials, access tokens, etc., embedded in repositories maintained by either themselves or third parties on open source platforms include the US Department of Veterans Affairs, Toyota , CarbonTV and more.
Number of leaked credentials for projects hosting PiPi | Source: ReversingLabs
In addition, it has been found that organizations rely on vulnerable software dependencies. However, the increase in open source vulnerability disclosures such as Log4Shell, Tekt4Shell, Spring4Shell, Pythonand OpenSSL points to threat actors consistently trying to find new avenues for exploitation.
The good news is that organizations are vigilant about this problem. Research conducted by ReversingLabs revealed the following:
- 98% of respondents said that third-party software, open source software and unauthorized software pose a risk to organizations
- 66% of respondents said that “exploitable software vulnerabilities are a risk
- 63% of respondents said threats and malware hidden in open source repositories that could lead to incidents like SolarWinds and CodeCov are a risk
- 51% of respondents said that the inability to detect unauthorized software is a security risk
- 40% of respondents also highlighted vulnerabilities in CI/CD toolchains as a concern
As such, security teams are expected to counter supply chain attacks with:
- Introducing new features for identifying malicious packages
- More integration with package scanning platforms
- IP range locking
- Automation of supply chain security
- Office of Open Source Programs
- Compliance with open source security under the Open Source Software Assurance Act of 2022
“If data from the past three years is any indication, attacks on software supply chains will increase in both frequency and severity in 2023, as they have in each of the past three years.” That, along with new regulations and guidelines aimed at addressing supply chain risk, will put new pressure on development organizations and businesses,” ReversingLabs concluded.
“Going forward, ReversingLabs researchers foresee a shift in both security thinking and investment.” Expect increased scrutiny of internal and shared code for evidence of secrets such as credentials to access cloud-based services such as AWS and Azure; SSH, SSL and PGP keys and a variety of other access tokens and API keys.”
Let us know if you enjoyed reading this news on LinkedIn, Twitteror Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON SOFTWARE SUPPLY CHAIN THREATS
[ad_2]
Source link