Blog
What is the impact of software supply chain security challenges?
Digital innovation creates competitive advantage and value for every type of business. Three things are common among corporate software engineering teams:
- They seek faster innovation
- They seek improved security
- They utilize a massive volume of open source libraries
Faster innovation does not mean that developers need to reinvent the wheel. Instead, faster innovation demands efficient reuse of code, which has led to a growing dependence on open source and third-party software libraries. Developers are using artifacts into public software repositories (npm, Maven Central, PyPI, NuGet Gallery, RubyGems, etc.) as reusable building blocks. This is the definition of the modern software supply chain.
According to a recent report by Sonatype , in 2020, developers around the world is projected to request more than 1.5 trillion open source software components and containers. This reliance on open source components greatly speeds up innovation but often comes at a high price: many of these components available for download contain dangerous vulnerabilities.
Supply chain threats are increasing
Choosing open source software should be considered an important strategic decision for enterprise software development organizations. Just as traditional manufacturing supply chains select parts from approved suppliers and rely upon formalized procurement practices, development teams should adopt similar criteria for their open source components to ensure the highest quality parts are selected from reputable suppliers.
However, the reality is a bit different. Development teams often rely on an unchecked variety of open source software projects. Each team member can make their own sourcing and procurement decisions, placing trust in their component’s authenticity and integrity. The complexity of multi-layered open source software supply chains can obfuscate risk for those seeking to avoid it. The findings of the Sonatype 2020 State of Software Supply Chain Report are indicative of the threats and risks development teams are exposed to.
- In 2019, 10.4% of the billions of downloads had at least one known vulnerability.
- Nearly 40% of all npm packages rely on code with known vulnerabilities.
- 66% of security vulnerabilities in npm packages remain unpatched, leaving developers who want to use secure packages with no safe alternatives
- Open source software components make up 90% of a modern application and 11% of these components have at least one known security vulnerability
According to the X-Force Threat Intelligence Index , attacks on known vulnerabilities increased to 30% in 2019, up from 8% the previous year. Development teams relying on open source components that sometimes contain known vulnerabilities were not immune to these attacks. The 2020 DevSecOps Community Survey that 21% of software developers had experienced an open source component related breach in the past 12 months.
Next generation software supply chain attacks
Legacy software supply chain attacks, such as the Struts incident at Equifax , target publicly disclosed open source vulnerabilities that are left unpatched. On the contrary, next generation software supply chain attacks are more sinister because bad actors are no longer waiting for public vulnerability disclosures.
Instead, they are injecting malicious code into open source projects that feed the global supply chain. By shifting their focus “upstream,” bad actors can infect a single component, which will then be distributed “downstream” using legitimate software workflows and update mechanisms. According to security researchers at the University of Bonn, SAP Labs France, and Fraunhofer FKIE, “From an attacker’s point of view, [large scale, public internet-based] package repositories represent a reliable and scalable malware distribution channel.”
Next-generation software supply chain attacks are feasible for three reasons:
- Open source projects rely on contributions from thousands of volunteer developers. Distinguishing between community members with good or malicious intent is difficult.
- Open source projects incorporate hundreds of dependencies from other open source projects, which may contain known vulnerabilities.
- Open source community is based on trust. Bad actors are exploiting this ethos and prey upon good people with ease.
The complexity of open source supply chains is highlighted by the fact that a few hundreds of contributors may affect thousands of software components. If an adversary were to successfully identify entry points into projects supported by one of those developers, they could dramatically widen the impact of their open source supply chain attacks.
In fact, this is already happening. The Sonatype 2020 report found that next-generation cyber-attacks actively targeting open source software projects have increased by 430% since 2019. From February 2015 to June 2019, 216 such attacks were recorded, while from July 2019 to May 2020 an additional 929 attacks were documented.
The most common type of attack is typosquatting , an attack vector that targets developers making innocent typos when searching for popular components. Another common attack is malicious code injection , which is carried out through a variety of means, including stealing developers’ credentials or tampering with open source developer tools that inject malicious code into downstream applications. This approach allows adversaries to set traps “upstream”, and then carry out attacks downstream once the vulnerable code has moved through the supply chain.
Addressing software supply chain attacks
While bad actors are increasingly shifting their attention upstream, it is critical to understand and manage the software supply chain threats that remain prominent downstream. Specifically, organizations must establish rapid reaction processes to respond quickly to new vulnerability disclosures by finding and fixing vulnerable open source dependencies in production applications. The Equifax breach and SaltStack vulnerability are great examples that prove that speed is critical when responding to legacy software supply chain attacks.
With an ever-increasing number of application breaches occurring, agencies and governments are publishing guidelines to ensure the quality and security of the code produced and used by many mission-critical applications.
In May 2019, CISA’s Supply Chain Risk Management (SCRM) published a guide on how to start securing software supply chains. The recommendation includes steps such as building a list of the software components organizations procured, mapping supply chains to better understand what components were being procured, determining how organizations would assess the security culture of suppliers, and establishing systems for checking supply chain practices against guidelines.
In April 2020, NIST released new standards for improving software security aimed at helping “software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.”
NIST’s Secure Software Development Framework offers several practices to improve the management of open source software supply chains, including:
- Create and maintain a software bill of materials (SBOM) for each open source component.
- Securely archive a copy of each release and all its components.
- Ensure each software component is actively maintained, which should include remediation of new vulnerabilities found in the software.
- Determine a plan of action for each third party and open source software component that is obsolete.
- Establish an organization-wide software repository to host sanctioned and vetted components.
- Maintain a list of organization-approved commercial open source components and component versions.
- Have a security response plan to handle a generic reported vulnerability.
How CSSLP can help
CSSLP is the industry’s premier secure software development certification . Earning the globally recognized CSSLP secure software development certification will arm you with the foundational knowledge to address software supply chain risks and attacks and implement common mitigation strategies to reduce the risk of embedded malicious code.
CSSLP certification recognizes leading application security skills. It shows employers and peers you have the advanced technical skills and knowledge necessary for authentication, authorization, and auditing throughout the SDLC using best practices, policies and procedures established by the cybersecurity experts at (ISC)².
(ISC)² is the leader in security certifications and is acknowledged by companies worldwide. To learn how you can benefit, read our white paper How to Reap the Benefits of DevSecOps , or download the CSSLP Ultimate Guide .