Software is running the world with infinite major elements of businesses and industries being run on it and delivered as online services. From entertainment, retail, financial services, and healthcare to automotive, transportation, agriculture, and national defense, industries across the board have experienced a fundamental software-based transformation that is crucial for business longevity.
In recent years, there’s been an increasing dependence on open source software (OSS) as developers face pressure to write and deploy new applications and features faster than ever.
Modern applications are more assembled than written, with developers pulling in dozens or even hundreds of open source libraries to accelerate development. These libraries provide prebuilt functionality such as authentication, data parsing, encryption, or API integrations. This allows teams to move faster without reinventing the wheel. Virtually all proprietary software today depends on open source components at some level, making OSS a foundational layer of the modern software supply chain.
However, although open-source packages expedite software development, they also introduce significant security risks. Understanding the risks open source poses to software supply chain security (SSCS) is vital to protect organizations from potential attacks hidden within open source dependencies.
Common Application Security Pitfalls with OSS
Traditional Software Composition Analysis (SCA) is most often associated with identifying the vulnerabilities in OSS. However, many organizations struggle with comprehensive visibility and security of their supply chain.
Despite “Secure by Design” principles, which embed security into every stage of the development lifecycle, organizations have little control over the security of open source packages in use in their code base. Without SCA, they can’t possibly monitor or even scan every open source project they utilize.
Of the three trust boundaries identified by the Supply-chain Levels for Software Artifacts (SLSA) framework (source threats, build threats, and dependency threats), dependency integrity is the weakest link in the software supply chain.
Additionally, OSS ecosystems like GitHub and others are built to minimize friction and encourage developers to contribute to the community. As such, the mechanisms for contributors are built to make it easy, and there is inherent trust built in. However, security is not always a top priority. Some projects that are backed by well-known vendors often have checks and balances around who can contribute, what is contributed, what makes it into builds, and so on. Even then, the checks and balances can’t be trusted, exemplified by XZ Utils, in which a trusted contributor injected malicious code. Many projects don’t have the same level of controls, leaving them susceptible to attacks which, in turn, can end up in the software stack of an application.
While traditional SCA identifies packages with known vulnerabilities (CVEs) or packages needing updating to a latest revision, supply chain security focuses more on tactics, techniques, and procedures (TTPs) bad actors use to hijack projects and inject purely malicious code into often extremely popular open source packages.
Common Open Source Supply Chain Attacks
Open source code’s transparent nature makes it susceptible to various attack types, which organizations must recognize to effectively manage and minimize supply chain vulnerability and risk.
- Dependency Confusion Attacks
Dependency confusion attacks exploit vulnerabilities in package manager configurations, tricking systems into downloading malicious packages instead of genuine internal ones. A significant example of a supply chain attack occurred with the widely-used NPM package UAParser.js, where attackers compromised the package to distribute crypto-mining malware, impacting potentially millions of users.
- Typosquatting Attacks
Typosquatting involves attackers creating malicious libraries that closely resemble popular open source packages. An example of a supply chain attack involving typosquatting occurred with the Python library Colorama, where attackers introduced “Colourama,” a malicious version designed to redirect Bitcoin payments to the attacker’s wallets.
- Contributor Compromise and Malicious Code Injection
In certain scenarios, malicious actors infiltrate trusted OSS communities by first contributing legitimate code to gain trust. After trust is established, they inject harmful code, often unnoticed by the community. GitHub previously disclosed that up to 20% of bugs were maliciously introduced by attackers. This approach emphasizes the need for ongoing vigilance and monitoring within OSS communities.
How to Secure OSS within the Software Supply Chain
Given these prevalent threats, organizations require robust strategies to proactively identify OSS supply chain vulnerabilities. Organizations must protect their applications from attacks that leverage open source code. Consider the following to manage supply chain risk:
Automate identification and remediation to mitigate the stealthy threats that can be included in the packages on which your applications rely. The sheer volume of packages and updates makes it all but impossible to closely inspect everything without an automated solution.
Track everyone and everything in the open source ecosystem. Without a sophisticated solution, this is practically impossible, but you can ensure trust in the open source elements you leverage with automated reputation analysis of projects and contributors.
Gauge the health and security of a project, which means much more than skimming through the read-me. As with other aspects of supply chain security, the scope and scale of this problem makes it impractical for your teams to achieve this. Gain assurance in project integrity with continuous metadata analysis which identifies anomalies in the integrity of a project.
Shift left and remediate threats in the earliest stages of your development cycle. Overwhelming your team with alerts long after code has shipped is not optimal. Instead, enable zero friction between security teams and developers.
Require a futureproof approach since the threat landscape continues to evolve. Solutions that are architected such that engines can be updated, or entirely new engines added quickly and easily, mean that the solution will grow with you, not against you.
Prioritize code vulnerabilities with advanced reachability analysis. This significantly improves the remediation, including in open-source packages, by assessing whether potentially harmful code paths are exploitable at runtime.
Integrate with runtime and Cloud-Native Application Protection Platform (CNAPP) to deliver continuous protection across the application lifecycle. This approach ensures real-time security validation and aids organizations in rapidly responding to evolving threats, greatly reducing the vulnerabilities in an organization’s supply chain.
SSCS with Checkmarx
Software supply chain security (SSCS) is critical in today’s software-driven economy, particularly due to the overwhelming dependence on open source code and packages. Understanding common OSS vulnerabilities, such as dependency confusion, typosquatting, and malicious code injection, is essential to minimize supply chain vulnerability and risk. With Checkmarx’s advanced solutions, organizations can proactively safeguard their software. Checkmarx equips organizations to not only identify supply chain vulnerabilities but to rapidly respond to threats, reinforcing trust in the applications that power their business.Learn more about Checkmarx Software Supply Chain Security.