The Open Source Supply Chain Under Assault – New Defenses Are Required

For those who’ve been working in the world of information security over the last two decades have likely taken note of attacker Tactics, Techniques, and Procedures (TTP), and how they’ve evolved over time. Let’s take a closer look at what’s changed.

The Evolution of TTP

In the very beginning of cyberattacks, attackers would spend time creating self-propagating viruses and worms to exploit vulnerable operating systems and desktop applications. For example, the “I Love You” virus, which dates back to the year 2000, infected over ten million computers worldwide. Names like Code Red, SQL Slammer, Sobig, MyDoom, Netsky, Stuxnet, Zues, and so on, made headlines all over the globe. As a result, antivirus companies proliferated, holes were plugged in operating systems, devices and perimeters were hardened, bug bounties were initiated, and many of these TTPs were defeated.

During much of this same period, a new genre of TTPs emerged in concert with these highly successful malware examples, and phishing became the new name - of an old game. Since perimeter and workstation defenses were somewhat difficult to overcome from the outside-looking-in, attackers knew that if they could fool someone into clicking on a link in an email, back doors could be opened, and perimeter defenses may well be defeated.

Therefore, a whole new generation of malware surfaced in the form of ransomware and botnets. For example, names like Locky, Tiny Banker Trojan, Mirai, WannaCry, Petya, and many more were the next malware variants to gain notoriety. Email phishing defenses, spam detection systems, employee email phishing training, etc. proliferated and helped defeat some of these attacks.

As a result, attackers likely began to conclude, “If we can infect a software supply chain, our malware proliferation and victim count could grow exponentially.” And in December of 2020 they did just that. The SolarWinds supply chain attack took place, leading to both government and enterprise data breaches that made headlines worldwide. However, the SolarWinds’ attack was leveraged against a commercial software supply chain and was not necessarily focused on what is called the open source supply chain.

Why Supply Chain – Why Now?

Today’s attackers realize that infecting the supply chain of open source libraries, packages, components, modules, etc., in the context of open source repositories, a whole new Pandora's box can be opened. And as we all know, once you open that box, it’s nearly impossible to close. In fact, Checkmarx leadership saw this coming. Back in December of 2019, Maty Siman, Founder and CTO of Checkmarx contributed to this predictions blog.

Maty wrote, “With organizations increasingly leveraging open source software in their applications, next year, we’ll see an uptick in cybercriminals infiltrating open source projects. Expect to see attackers ‘contributing’ to open source communities more frequently by injecting malicious payloads directly into open source packages, with the goal of developers and organizations leveraging this tainted code in their applications.

As we see this scenario unfold, there will be a growing need for processes like developer and open source contributor background checks [contributor reputation]. Currently, open source environments are based entirely on trust - organizations typically don’t vet developers’ past projects or reputations. However, as attackers take advantage of open source projects, this trust will begin to erode, forcing organizations to take proactive mitigation steps by thoroughly vetting the open source code within their applications, as well as those providing it.”

So, as we see here, Maty Siman was spot on. Not only did Checkmarx see attacks on the open source supply chain coming, in fact, they did something about it by acquiring Dustico in August of 2021. Now, TTPs like dependency confusion, typosquatting, repository jacking (aka ChainJacking), and star jacking are the new name of the game. In fact, Checkmarx just released a new white paper today, Introduction to Supply Chain Attacks, explaining how these attacks actually work.

Landscape Changer: Checkmarx Supply Chain Security

As a result of Maty’s predictions (which did come true, by the way), and their proactive stance on defeating supply chain attacks, Checkmarx just announced a new arrow in the quiver of enterprise-class, open source supply chain defenses. Checkmarx SCA with Supply Chain Security (SCS) is now available, and the solution sets an entirely new bar for all SCA solutions.

Checkmarx is first to market with supply chain defenses organizations need now which include:

  • Health and Wellness, and Software Bill of Materials (SBOM)
  • Malicious Package Detection
  • Contributor Reputation
  • Behavior Analysis
  • Continuous Results Processing

In addition to our white paper on supply chain attacks, Checkmarx released another white paper today, Don’t Take Code from Strangers – An Introduction to Checkmarx Supply Chain Security. This paper goes into detail about topics like SLSA, traditional code analysis, and pushing boundaries in secure software supply chain innovation.

Checkmarx SCA with Supply Chain Security (SCS) offers a more comprehensive approach to preventing supply chain attacks and securing open source usage by enabling developers to perform vulnerability, behavioral, and reputational analysis from a single, integrated platform. By natively integrating advanced behavioral analysis into SCA, Checkmarx provides developers with a streamlined, frictionless user experience to enhance their organization’s supply chain security.

To learn more about Checkmarx SCA with Supply Chain Security, you can request a demo here.

About the Author

About the Author

Never miss an update. Subscribe today!

By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal information submitted above to provide you the content requested.
Skip to content