DeveloperWeek 2021 DeveloperWeek 2021

Thursday, February 18, 2021

PRO SESSION: Rise of Next-Gen Software Supply Chain Attacks
Join on Hopin
Brian Fox
Brian Fox
Sonatype, Chief Technology Officer

Legacy software supply chain “exploits," such as the now famous Struts incident at Equifax, prey on publicly disclosed open source vulnerabilities that are left unpatched in the wild. Conversely, next-generation software supply chain “attacks” are far more sinister because bad actors are no longer waiting for public vulnerability disclosures. Instead, they are taking the initiative and actively injecting malicious code into open source projects that feed the global supply chain. By shifting their focus “upstream," bad actors can infect a single component, which will then be distributed “downstream” using legitimate software workflows and update mechanisms.

Next-generation cyber attacks actively targeting open source software projects have increased 430% year-over-year. From February 2015 to June 2019, 216 such attacks were recorded. Then from July 2019 to May 2020 an additional 929 attacks were documented.

Next-generation software supply chain attacks are possible for three reasons:

Open source projects rely on contributions from thousands of volunteer developers, and discriminating between community members with good or malicious intent is difficult, if not impossible.
Open source projects themselves typically incorporate hundreds — if not thousands — of dependencies from other open source projects, many of which contain known vulnerabilities. While some open source projects demonstrate exemplary hygiene as measured by mean time to remediate (MTTR) and mean time to update (MTTU), many others do not. The sheer volume of open source and massive number of dependencies makes it difficult to quickly evaluate the quality and security of every new version of a dependency.
The ethos of open source is built on “shared trust” between a global community of individuals, which creates a fertile environment whereby bad actors can prey upon good people with surprising ease.

When malicious code is deliberately and secretly injected upstream into open source projects, it is highly likely that no one knows the malware is there, except for the person that planted it. This approach allows adversaries to surreptitiously “set traps” upstream, and then carry out attacks downstream once the vulnerability has moved through the supply chain and into the wild.