Software supply chain attacks will increase in 2023: Report

Share post:

Attacks on open-source and commercial software will continue to rise in 2023, says a new security vendor report on the software supply chain.

However, the authors of the report also believe that the increased security measures developers are taking — particularly on open source platforms like Github, NPM, RubyGems and PyPI — may slow that growth.

The conclusion comes in a report on the state of supply chain security issued Monday by ReversingLabs. (Registration required)

To bridge the gaps in both the monitoring and detection of supply chain threats and attacks, software developers must scrutinize open-source risks and better co-ordinate work between development teams and security operations centers (SOCs), the report says.

“Almost two years after word of the SolarWinds hack first spread, software supply chain attacks have shown no sign of abating,” the authors note.

“In the commercial sector, attacks that leverage malicious open-source modules continue to multiply. Enterprises saw an exponential increase in supply chain attacks since 2020, and a slower, but still steady rise in 2022.

“The popular open-source repository NPM, for example, saw close to 7,000 malicious package uploads from January to October of 2022 — a nearly 100 times increase over the 75 malicious packages discovered in 2020 and 40 per cent increase over all packages discovered in 2021.

“The Python Package Index (PyPI) was also flooded with tainted open-source modules designed to mine cryptocurrency and plant malware, among other things.”

A number of high-profile organizations including Samsung and Toyota found themselves embarrassed by secrets exposed through open-source repositories that were maintained internally or by third-party contractors, the report adds.

Open source platforms and governments have responded, the report notes. For example, in the U.S., new federal guidance for tightening supply chain security came into effect. That included a practice guide for software suppliers to the federal government issued by the Enduring Security Framework (ESF) Software Supply Chain Working Panel. In September, a memorandum from the Office of Management and Budget required software firms to attest to the security of software and services they license to executive branch agencies.

In 2023, software publishers with U.S. federal contracts will need to clear higher bars for software security to meet the new guidelines, including having to attest to the security of their code and — in some cases — produce a software bill of goods that provides a roadmap for tracking down supply chain threats, the report says.

“Given that the threat of supply chain attacks goes beyond publishers that sell to the [U.S.] federal government, all organizations that develop software will need to take similar steps to keep ahead of these threats,” the report says.

Yet there are great challenges. The report notes that GitHub’s security team has reviewed and issued advisories for almost 9,300 vulnerabilities in GitHub modules across all languages. But more than 177,000 advisories related to GitHub modules remain unreviewed, many with “critical” ratings. These advisories, which constitute 95 per cent of the total vulnerability count, aren’t connected to Github’s Dependabot service, so no warning will be issued for them, the report notes.

The report also points out that this year so-called “protestware” emerged, in which maintainers of legitimate applications decide to weaponize their software in service of some larger cause. In January, for example, downstream applications with dependence on the popular NPM libraries called ‘colors.js’ and ‘faker.js’ found their applications caught in an infinite loop, printing ‘LIBERTY ‘LIBERTY LIBERTY’ followed by a sequence of gibberish non-ASCII characters. The incident was intentional — an act of protest by the maintainer “Squires” for what he perceived as uncompensated use of his libraries by for-profit firms.

The report says application development teams can take four steps to combat growing software supply chain risks:

–go beyond focusing on vulnerability management and code quality to encompass growing supply chain threats like malware, malicious insiders, and other continuous integration compromises that can lead to unauthorized code changes;

–bring release engineers and security engineers together to co-ordinate their activities. Security operations centers need to follow attackers as they shift left, broadening their mandate to encompass monitoring of software supply chain threats as part of their overall risk monitoring;

–increase focus on finding and closing open-source risks;

–invest in proactive threat hunting.

The post Software supply chain attacks will increase in 2023: Report first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Nvidia unveils open-source AI model rivaling GPT-4

Nvidia has released NVLM 1.0, a powerful open-source artificial intelligence (AI) model that competes with proprietary systems like...

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways