May 25, 2021 By Jennifer Gregory 3 min read


When you read that software supply chain attacks increased 42% in the first quarter of 2021 over Q4 2020, you might think the cybersecurity problem was related to the traditional supply chain. Many people think of a supply chain as boxes of products on trucks and ships. Software companies don’t ship physical CDs of their latest products like they did decades ago. Instead, their supply chain is now the internet and cloud as they send out their products there. Today, the cloud is actually the ‘truck’ that delivers new applications and updates to companies.

That means threat actors can find openings in those systems and methods. Often, the attack begins when an administrator downloads a new app or updates an existing app. From there, malware embeds itself into the application. Sometimes the employee doesn’t even realize the mistake — or if they do, it’s already too late.

Almost every organization uses multiple applications to run their business. So, software supply chain attacks have the potential to be widespread and very damaging. Take a look at what’s causing the increase in these types of attacks and what the enterprise can do to protect against them.

Open-Source Problems and Supply Chain Cybersecurity

One of the biggest issues is that many organizations rely on open-source supply chain apps. Attacks on open source code increased 430% between 2019 and 2020. Not all of these attacks are related to the supply chain. However, many of the systems software companies use to distribute their products are open source. This means the numbers of supply-chain related issues are likely to grow. Threat actors are becoming even more skilled at attacks on open-source code.

To find out how widespread the problem is, take a look at the Contrast Security 2021 State of Open-Source Security Report. The study found that the average application includes 118 libraries, with only 38% of the libraries being active. This creates a major risk for malware or malicious code being inserted into an inactive library without anyone detecting it. Because the average age of the libraries is 2.5 years, apps may have unseen problems in older libraries. The report also found that the average Java app contains 50 open-source library vulnerabilities. That means there is a 16% chance each library has an opening for attackers.

Using Red Team Tests Against Supply Chain Attacks

Because real-world experience is the best way to learn to work as a team and use your controls in real-time, organizations are increasingly turning to adversary simulation engagements to reduce the impact of supply chain attacks. In these tests, a ‘red’ team uses the same tactics, techniques and procedures that threat actors employ. The ‘blue’ team responds to the attacks from the red team. They’ll gain valuable knowledge by combating the same tools threat actors are currently using.

The biggest benefit of these events is that your team can learn first-hand exactly what the attacks look like. From there, they can develop detailed processes for how to respond in the most effective manner. Through these tests, blue teams can reduce mean time to detect and mean time to respond. By doing both of those, they can limit damage of supply chain attacks from open-source openings. When researching a partner to conduct attack tests, look for one that will provide detailed feedback about your team’s performance that you can use to change your processes and tools.

Reduce Dependency Confusion Issues

A new problem is approaching that’s likely connected to the rise in supply chain attacks — dependency confusion. Groups that use internal and third-party libraries in their apps are at risk to supply chain attacks through a dependency confusion, in which attackers create a fake package on an external library. The package has the same name as one on the internal library, so that package manager picks it up when the correct package on the internal library is not available. While previous similar attacks relied on developers misspelling the package name, dependency confusion is more reliable for threat actors and more damaging, even more so when the attacks are automated.

The best protection against dependency confusion is increasing the visibility and security of libraries, packages and dependencies. When you protect the names of your system’s libraries and packages, threat actors are less likely to be able to create a fake package with a duplicate name. By using a package manager that supports namespaced modules, you can reduce dependency confusion attacks because packages with the same name cannot be used in two different places. Other strategies include only using reputable open-source libraries and requiring developers to verify package source before installing.

Tools for the Future

Because the cloud is likely to remain the delivery method for software going forward, supply chain attacks are going to be a considerable issue and challenge for the foreseeable future. Installing new updates and applications is something businesses and consumers do daily, often without thinking. By carefully evaluating the process and tools you use for the delivery of software products, you can reduce the amount and impact of these types of attacks.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today