Checkmarx Supply Chain Threat Intelligence: The Next Level of Defense for Open Source Security

In the world of attacker vs. defender, security teams often feel they’re behind the eight ball, operating in a state of perpetual reactionary-mode. Although they tirelessly try to get ahead of attackers and their campaigns, defenders’ efforts often fall short. This is not due to a failure on their part. Instead, attackers’ tactics, techniques, and procedures (TTPs) are in constant flux and with relentless inventiveness. And what we witnessed in 2022 has motivated Checkmarx to be the industry’s first software security vendor to deliver supply chain threat intelligence to those who rely on the open source software ecosystem.

2022 was another year of unrelenting attacks against organizations that thrive on the very software they develop, but it was much different than anything our researchers ever saw before. Last year, we observed an increasingly advanced level of ingenuity as attackers took complete advantage of a system built upon trust—the open source software supply chain. And this time, having caught them red-handed on multiple occasions, we now know what it will take to stay one step ahead of their attacks.

Last March, Checkmarx released its Supply Chain Security solution as our research teams witnessed the evolution of attackers’ TTPs firsthand. Currently, the solution is being widely adopted by organizations who depend on the software supply chain, since open source packages play an important role as part of their code base. Understanding that organizations are going to continue using open source packages in their applications for the foreseeable future, Checkmarx just announced another arrow in the quiver of enterprise-class, open source supply chain defenses—Checkmarx Supply Chain Threat Intelligence.

How our threat intelligence is different

Traditionally, real-time threat intelligence has mostly been about identifying nefarious source IP addresses that were engaging in attacks. Many of these IP addresses were compromised devices that became part of a botnet, being centrally controlled from somewhere in the world, and used to strike organizations with denial of service, credential stuffing, password guessing, site scraping, spamming, and probing attacks. Consumers of this type of threat intelligence would block traffic coming from these nefarious addresses somewhere in the cloud or at their perimeters.

However, Checkmarx Supply Chain Threat Intelligence is much different than what has been traditionally available. This threat intel solely focuses on the software supply chain the world depends on. Also, the solution Checkmarx is delivering is not based upon vulnerable packages that are commonly tracked by cve.mitre.org. Instead, this intel is all about tracking purpose-built, malicious packages that often contain ransomware, cryptomining code, remote code execution, and other common types of malware. Malicious packages are designed to infect organizations worldwide and are much different than packages that contain unintentional coding errors that end up leading to vulnerabilities.

What our threat intelligence delivers

Based exclusively on proprietary research by Checkmarx Labs, our Supply Chain Threat Intelligence is for organizations that want:

• • Identification of malicious packages by attack type such as dependency confusion, typosquatting, chainjacking, and more

• • Analysis of contributor reputation through identification of anomalous activity within open source packages

• • Intelligence on the malicious behavior of packages, including static and dynamic analysis to understand how the code runs

• • Historical Archives in the form of a data lake that allows the ongoing analysis of packages long after they have been deleted from package managers

How to consume our threat intelligence

Checkmarx Supply Chain Threat Intelligence is delivered via an application programming interface (API). Users obtain a unique token from Checkmarx, send in a package name and version, and receive threat intelligence on the package. The intel is simple to integrate into many dashboards and to automate into your software development environments.

Why you need our threat intelligence

The best part of Checkmarx Supply Chain Threat Intelligence is that it is designed for you, the developer and AppSec professional. Subscribing to the service, and using it regularly, will help you:

• • Avoid malicious packages before they become part of your code base – and, critically,  before code containing them is ever deployed

• • Understand the evolution of attackers’ TTPs against the supply chain

• • Collect intelligence on large numbers of packages at once using bulk queries

• • Increase security awareness with real-time updates and alerts on new threats

• • Make better open source package selections using our valuable insights and context

Next steps

To learn more about Checkmarx Supply Chain Threat Intelligence, you can check out the interactive demo below and download our Solution Brief to share with others.