- Modern application development must address supply chain security risks
- Software Composition Analysis (SCA) tools are part of, but not the complete solution
- Vulnerable and malicious are two very different threats identified in different ways
- Checkmarx is tackling what may seem to be a completely overwhelming task
As organizations continue to expand their use of Open Source Software (OSS) in developing applications, they must also identify solutions that reduce risk in the context of OSS supply chain attacks. This challenge is increasingly common, as a recent IDC Link: Checkmarx Extends Its Software Composition Analysis Solution With Software Supply Chain Security notes, “An IDC survey found the adoption of open source has gone mainstream, with 89% of software development and delivery organizations surveyed currently using or planning to use OSS”. Application development teams (aka, DevOps) leverage OSS to handle the foundation and basic ‘plumbing’ of applications so teams can concentrate on writing proprietary code and business logic to further the objectives of their organization.
As OSS increasingly forms the bulk of application software stacks, knowing what OSS is included directly and indirectly via transitive dependencies (packages which rely on other OSS packages, which in-turn rely on others, and so on) becomes a significant challenge. Beyond simply knowing which packages are being used, tracking the package versions which are known vulnerable, and which of those vulnerabilities are exploitable within the context of the application(s), quickly becomes overwhelming.
Software Composition Analysis (SCA) tools help organizations understand which OSS packages are being used in their applications, and which are known vulnerable—usually by way of a CVE. Supply Chain Security (SCS) both compliments SCA and furthers it by hunting for malicious software packages that attackers insert into the OSS supply chain.
Checkmarx SCA now includes robust Supply Chain Security functionality to protect your organization. According to the IDC Link, the core features of Checkmarx SCS include:
- Contributor Reputation Monitoring, which looks for anomalous activity related to contributor accounts. For example, a contributor account may suddenly start posting packages directly to a package distribution system rather than first checking code into a GitHub project, indicating a suspicious change in behavior.
- Behavioral Analysis, which observes the actions of code running in a detonation chamber to identify potentially malicious behavior. For example, a package which attempts to communicate with a known malicious command and control destination would present a risk.
- Continuous Results Processing, which continuously provides the latest threat intelligence developed through use of publicly available sources and hands-on Checkmarx curation
What you will notice is these security techniques are different than inspecting code for vulnerabilities, and it has to do with the nature of the supply chain threat. Vulnerabilities are, with very few exceptions, introduced by accident. If a developer makes a coding error leading to a potential vulnerability in a software package, an attacker has to find that vulnerability, develop an exploit, and then exploit that vulnerability directly to achieve something. It is far more straightforward to embed some sort of malicious code directly into a software package and get straight to the result.
Another twist is that application security testing (AST) solutions can easily detect many code-based vulnerabilities. However, well-formed, bug-free malicious code can go undetected by AST solutions if the code is novel and does not itself have any vulnerabilities.
Organizations also have far different practical requirements of vulnerability detection and characterization versus malicious code. Vulnerabilities can be prioritized based on severity, if they are within relatively exposed applications, if the application code leverage the vulnerable code, etc. That means low-risk vulnerabilities can be tolerated until the next release, while high-risk vulnerabilities must be dealt with sooner. Malicious code stands in stark contrast; there is no evaluation of risk as malicious code always poses a critical risk by its very nature.
Open source ecosystems are built with enabling collaboration as the core goal. While large, well-funded project often have strict check and balances, smaller projects don’t always enjoy the benefit of these checks and balances. Adding to that, some relatively small (judged by the number of contributors) projects can have millions of downloads each week. This wide spectrum of project characteristics across vast OSS ecosystems cannot be monitored manually.
In tackling software supply chain security, Checkmarx uses a broad array of techniques based on data collection and production, and automated, ML-driven anomaly detection complimented with human-driven threat research. These approaches allow Checkmarx to identify the use of attack techniques such as Account Takeover, Typosquatting, and ChainJacking, among others. Attackers are continuing to escalate the breadth and severity of supply chain attacks and attack techniques. Checkmarx is here to help you defend your organization without sacrificing the pace of application delivery which leverages OSS.
Checkmarx SCA includes Supply Chain Security, get your free demo here: https://checkmarx.com/product/cxsca-open-source-scanning/
Learn more about the attack techniques we are seeing, and other SCS topics here: https://checkmarx.com/supply-chain-security/
Download the IDC Link: “Checkmarx Extends Its Software Composition Analysis Solution With Software Supply Chain Security” (doc #lcUS48980222 , March 2022) here: https://idcdocserv.com/lcUS448980222