When you read that software supply chain attacks increased 42% in the first quarter of 2021 over Q4 2020, you might think the cybersecurity problem was related to the traditional supply chain. Many people think of a supply chain as boxes of products on trucks and ships. Software companies don’t ship physical CDs of their latest products like they did decades ago. Instead, their supply chain is now the internet and cloud as they send out their products there. Today, the cloud is actually the ‘truck’ that delivers new applications and updates to companies.

That means threat actors can find openings in those systems and methods. Often, the attack begins when an administrator downloads a new app or updates an existing app. From there, malware embeds itself into the application. Sometimes the employee doesn’t even realize the mistake — or if they do, it’s already too late.

Almost every organization uses multiple applications to run their business. So, software supply chain attacks have the potential to be widespread and very damaging. Take a look at what’s causing the increase in these types of attacks and what the enterprise can do to protect against them.

Open-Source Problems and Supply Chain Cybersecurity

One of the biggest issues is that many organizations rely on open-source supply chain apps. Attacks on open source code increased 430% between 2019 and 2020. Not all of these attacks are related to the supply chain. However, many of the systems software companies use to distribute their products are open source. This means the numbers of supply-chain related issues are likely to grow. Threat actors are becoming even more skilled at attacks on open-source code.

To find out how widespread the problem is, take a look at the Contrast Security 2021 State of Open-Source Security Report. The study found that the average application includes 118 libraries, with only 38% of the libraries being active. This creates a major risk for malware or malicious code being inserted into an inactive library without anyone detecting it. Because the average age of the libraries is 2.5 years, apps may have unseen problems in older libraries. The report also found that the average Java app contains 50 open-source library vulnerabilities. That means there is a 16% chance each library has an opening for attackers.

Using Red Team Tests Against Supply Chain Attacks

Because real-world experience is the best way to learn to work as a team and use your controls in real-time, organizations are increasingly turning to adversary simulation engagements to reduce the impact of supply chain attacks. In these tests, a ‘red’ team uses the same tactics, techniques and procedures that threat actors employ. The ‘blue’ team responds to the attacks from the red team. They’ll gain valuable knowledge by combating the same tools threat actors are currently using.

The biggest benefit of these events is that your team can learn first-hand exactly what the attacks look like. From there, they can develop detailed processes for how to respond in the most effective manner. Through these tests, blue teams can reduce mean time to detect and mean time to respond. By doing both of those, they can limit damage of supply chain attacks from open-source openings. When researching a partner to conduct attack tests, look for one that will provide detailed feedback about your team’s performance that you can use to change your processes and tools.

Reduce Dependency Confusion Issues

A new problem is approaching that’s likely connected to the rise in supply chain attacks — dependency confusion. Groups that use internal and third-party libraries in their apps are at risk to supply chain attacks through a dependency confusion, in which attackers create a fake package on an external library. The package has the same name as one on the internal library, so that package manager picks it up when the correct package on the internal library is not available. While previous similar attacks relied on developers misspelling the package name, dependency confusion is more reliable for threat actors and more damaging, even more so when the attacks are automated.

The best protection against dependency confusion is increasing the visibility and security of libraries, packages and dependencies. When you protect the names of your system’s libraries and packages, threat actors are less likely to be able to create a fake package with a duplicate name. By using a package manager that supports namespaced modules, you can reduce dependency confusion attacks because packages with the same name cannot be used in two different places. Other strategies include only using reputable open-source libraries and requiring developers to verify package source before installing.

Tools for the Future

Because the cloud is likely to remain the delivery method for software going forward, supply chain attacks are going to be a considerable issue and challenge for the foreseeable future. Installing new updates and applications is something businesses and consumers do daily, often without thinking. By carefully evaluating the process and tools you use for the delivery of software products, you can reduce the amount and impact of these types of attacks.

More from Application Security

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…