Supply Chain Attacks: How To Reduce Open-Source Vulnerabilities

May 25, 2021
| |
3 min read

When you read that software supply chain attacks increased 42% in the first quarter of 2021 over Q4 2020, you might think the cybersecurity problem was related to the traditional supply chain. Many people think of a supply chain as boxes of products on trucks and ships. Software companies don’t ship physical CDs of their latest products like they did decades ago. Instead, their supply chain is now the internet and cloud as they send out their products there. Today, the cloud is actually the ‘truck’ that delivers new applications and updates to companies.

That means threat actors can find openings in those systems and methods. Often, the attack begins when an administrator downloads a new app or updates an existing app. From there, malware embeds itself into the application. Sometimes the employee doesn’t even realize the mistake — or if they do, it’s already too late.

Almost every organization uses multiple applications to run their business. So, software supply chain attacks have the potential to be widespread and very damaging. Take a look at what’s causing the increase in these types of attacks and what the enterprise can do to protect against them.

Open-Source Problems and Supply Chain Cybersecurity

One of the biggest issues is that many organizations rely on open-source supply chain apps. Attacks on open source code increased 430% between 2019 and 2020. Not all of these attacks are related to the supply chain. However, many of the systems software companies use to distribute their products are open source. This means the numbers of supply-chain related issues are likely to grow. Threat actors are becoming even more skilled at attacks on open-source code.

To find out how widespread the problem is, take a look at the Contrast Security 2021 State of Open-Source Security Report. The study found that the average application includes 118 libraries, with only 38% of the libraries being active. This creates a major risk for malware or malicious code being inserted into an inactive library without anyone detecting it. Because the average age of the libraries is 2.5 years, apps may have unseen problems in older libraries. The report also found that the average Java app contains 50 open-source library vulnerabilities. That means there is a 16% chance each library has an opening for attackers.

Using Red Team Tests Against Supply Chain Attacks

Because real-world experience is the best way to learn to work as a team and use your controls in real-time, organizations are increasingly turning to adversary simulation engagements to reduce the impact of supply chain attacks. In these tests, a ‘red’ team uses the same tactics, techniques and procedures that threat actors employ. The ‘blue’ team responds to the attacks from the red team. They’ll gain valuable knowledge by combating the same tools threat actors are currently using.

The biggest benefit of these events is that your team can learn first-hand exactly what the attacks look like. From there, they can develop detailed processes for how to respond in the most effective manner. Through these tests, blue teams can reduce mean time to detect and mean time to respond. By doing both of those, they can limit damage of supply chain attacks from open-source openings. When researching a partner to conduct attack tests, look for one that will provide detailed feedback about your team’s performance that you can use to change your processes and tools.

Reduce Dependency Confusion Issues

A new problem is approaching that’s likely connected to the rise in supply chain attacks — dependency confusion. Groups that use internal and third-party libraries in their apps are at risk to supply chain attacks through a dependency confusion, in which attackers create a fake package on an external library. The package has the same name as one on the internal library, so that package manager picks it up when the correct package on the internal library is not available. While previous similar attacks relied on developers misspelling the package name, dependency confusion is more reliable for threat actors and more damaging, even more so when the attacks are automated.

The best protection against dependency confusion is increasing the visibility and security of libraries, packages and dependencies. When you protect the names of your system’s libraries and packages, threat actors are less likely to be able to create a fake package with a duplicate name. By using a package manager that supports namespaced modules, you can reduce dependency confusion attacks because packages with the same name cannot be used in two different places. Other strategies include only using reputable open-source libraries and requiring developers to verify package source before installing.

Tools for the Future

Because the cloud is likely to remain the delivery method for software going forward, supply chain attacks are going to be a considerable issue and challenge for the foreseeable future. Installing new updates and applications is something businesses and consumers do daily, often without thinking. By carefully evaluating the process and tools you use for the delivery of software products, you can reduce the amount and impact of these types of attacks.

Jennifer Gregory
Cybersecurity Writer

Jennifer Goforth Gregory is a freelance B2B technology content marketing writer specializing in cybersecurity. Other areas of focus include B2B, finance, tec...
read more