What’s Lurking Within? Malicious Code.
Supply chain attacks occur when cyberthreat actors insert malicious code into trusted software, creating a vector to further compromise data or systems. To avoid being the victim or unwilling accomplice of a software supply chain attack, you need to carefully assess software components used in your applications. One common method of sneaking bad code into good applications is to compromise or impersonate an open source library. Modern development practices rely heavily on importing reusable components. Because of this, there is a healthy population of Software Composition Analysis tools designed to detect problematic packages during software development.
Much of the effort to secure open source components has been focused on finding vulnerabilities: problems in the code that attackers can exploit, but that are the result of human error. Existing application security test tools, like static or interactive code testing, can find these kinds of vulnerabilities.
Hidden among the masses of Node.JS packages, Python modules, or .NET NuGets, however, are a significant number of libraries that might be securely coded and elegantly implemented, but also deeply malicious at the same time. Defending against these types of attacks demands a different set of capabilities.
That’s why we’re proud to share that Checkmarx has acquired Dustico, an innovative startup that has developed unique methods to identify supply chain attacks.
When code has been written to deliberately hide its intent, it’s important to evaluate what the code does when you run it, and who created it in the first place. As Tzachi Zornstain, one of Dustico’s founders, says: “Don’t take code from strangers.”
Evaluating what a piece of software does, what processes it creates, what ports it opens, and what connections it attempts to make are all critical indicators of the package’s intent.
Looking at who contributed to the code, what other packages they have created, and their overall online presence can give us indicators and evidence of the potential intent of their coding activities. While this information might not be definitive, it’s definitely a useful component in building a risk model.
Of course, doing this for the hundreds of packages and contributors in your supply chain is unsustainable. Just building the technology to safely test new packages in a protected, blast-proof environment is a significant task, never mind building the tools to evaluate the results. In addition, creating your own analysis of the thousands of open source contributors is impractical.
That’s why we will be rolling the innovative technology we’ve acquired into our software composition analysis tool, CxSCA. Now, alongside our curated threat feed, independent security research, and market leading capabilities like Exploitable Path, we will be adding ML-driven behavioral analysis and contributor reputation indicators into the risk analysis equation.
If you’re concerned about attackers sliding into your supply chain, then be glad that we’re working hard to get these new protections into CxSCA as fast as possible, and keep an eye out for some really interesting research we plan to publish here soon.