The Silent Threat Of Software Supply Chain Jacking – Forbes

Posted on by

Organizations are facing increased risk from threat actors exploiting weaknesses in open source code ... [+] and the software supply chain.

There is a complex web of interdependencies required to source, process, manufacture, and transport goods that has to occur before a vehicle is available on a dealer lot, a product is sitting on the shelf at Target, or the Amazon delivery guy shows up at your door. The same is actually true for software today. There is a supply chain of software code involved in delivering an application or serviceand attackers are taking advantage of its weaknesses.

The supply chain is one of those things that was always there, but most people didnt know about it and never thought of it. We shop, and buy, and consume with little understanding of, or regard for the many moving parts that must align to produce goods.

An apple grows on a tree. Its relatively simple. However, getting the apple from the tree to the produce section at your grocery store requires effort to plant, grow, harvest, sort, clean, and transport the apples. Many factors such as extreme weather, fuel prices, skill and availability of workers, and more all impact the supply chain.

There is a ripple effect to the supply chain, which is responsible for a number of global issues right now. Seemingly unrelated events at the beginning of the supply chain can cascade and amplify into huge production challenges at the other end. The Covid pandemic, Climate Change, and other factors continue to disrupt regions and industries in ways that are impacting everyone around the world.

There is also increasing supply chain risk for cybersecurity. Successfully attacking thousands of targets is a Herculean task. Threat actors recognized that they could compromise one target further back in the supply chain, and leverage that to gain access to the thousands of companies or individuals that rely on that target.

A blog post from Checkmarx explains, Todays attackers realize that infecting the supply chain of open source libraries, packages, components, modules, etc., in the context of open source repositories, a whole new Pandora's box can be opened. And as we all know, once you open that box, its nearly impossible to close.

The attack on SolarWinds at the end of 2020 was a supply chain attack. Companies and government agencies around the world use SolarWinds software. Threat actors were able to compromise the SolarWinds software and embed malicious codewhich was then downloaded and executed by customers.

Researchers discussed these issues at the RSA Security Conference 2022 in June. Erez Yalon, VP of Security Research at Checkmarx, and Jossef Harush Kadouri, Head of Engineering for Supply Chain Security at Checkmarx, presented the session, titled The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack, revealed insightful research and provided an attackers perspective on open source flows and flawsand how threat actors can take advantage of software supply chain weaknesses.

Nation-state cyberattacks and cybercriminals generally seek out the path of least resistance, which is why software supply chain jacking is a growing threat. I spoke with Erez, and Tzachi (Zack) Zornstain, Head of Software Supply Chain at Checkmarx, about the increasing risk.

Zack noted that the way developers write code and create software has evolved. The shift from Waterfall, to Agile, and now to DevOps principles has accelerated and fundamentally changed the process. There's a huge rise in speed and velocity of change in the last five years. We are moving towards a future or even a present already that has way more moving parts. Suddenly application security is not only about your codeits also about containers, and third party, and open source, and APIs that are talking to each other. Everything out there is somehow connected in all of these small building blocks, and what we see is that the attackers are moving towards it.

Part of that shift has been an increased use of and dependence on open source code. 80% of the lines of code come from open source, shared Erez. So, its not a small part of the code. Most of the code in modern applications is from open source.

Leveraging open source code makes sense. It is more expedient to incorporate open source code that performs the function needed. There is also no point in duplicating effort and reinventing the wheel if the code already exists. However, developersand the organizations that use these applicationsneed to be aware of the implications of those choices.

The thing about open source software is that anyone can contribute or modify code, and nobody is designated as responsible for resolving vulnerabilities or validating that its secure. It is a community effort. The belief is that exposing it to the public makes it more secure because it is open for anyone to see the code and resolve issues.

But there are thousands and thousands of open source projects, and many of them are more or less derelict. They are actively used, but not necessarily actively maintained. The original developers have lives and day jobs. The open source code is being provided for free, so there is little incentive to invest continuous effort monitoring and updating it.

Erez and Zack shared with me a couple examples of very popular open source code components being modified in ways that compromised millions of devices running applications that leverage the open source code. One was an example of attackers hijacking the account of a developer of widely used open source code and embedding malicious code in it. The code has been used and trusted for years, and the developer had an established reputation, so it didnt occur to anyone to question or distrust the code.

That was a malicious takeover. The other example illustrates how software supply chain jacking can be a threat when it is intentional as well. Erez and Zack told me about a developer of a popular open source element who modified his code in support of Ukraine in the wake of Russias invasion. The code was changed to effectively brick or wipe computers in Russia. He didnt hide the updatethe change was made public and he was clear about his motives. However, few organizations in Russia that rely on his code are actually aware they use his code, and even fewer would have any reason to read his posts or monitor changes on Github.

Software supply chain jacking and issues with the software supply chain in general will continue to expose organizations to risk. Erez summed up, Basically, the question is whose responsibility is it? We think that because its our software, its our responsibility.

Organizations cannot afford to assume that the open source code running in their environments is secure. They also cant assume that just because the developer has a solid reputation, and the open source code has great reviews, and the code has been used safely for years, that it can be inherently trusted. Erez added, Its our job to make sure things are actually working as expected.

Read the rest here:

The Silent Threat Of Software Supply Chain Jacking - Forbes

Related Posts
This entry was posted in $1$s. Bookmark the permalink.