TAKING A PROACTIVE APPROACH TO SAFEGUARD THE DEVELOPMENT ECOSYSTEM
Savvy cyberattackers have turned their attention to the open source software supply chain as developers strive to innovate faster than ever , resulting in vulnerabilities . Shabir Bhat , Regional Sales Director , Middle East , Checkmarx , tells us why organisations must consider taking a proactive approach to defending against these attacks to ensure business as usual .
How and why have attackers shifted their focus to the open source software supply chain ?
It ’ s the path of least resistance . Developers have more and more pressure pushed upon them to innovate faster and leveraging open source software helps them achieve this goal because it allows them to use code that ’ s already been written , saving them time . When developers pull open source into their organisation without due diligence , they are essentially inviting a stranger ’ s code into their organisation .
Moreover , very popular projects also provide tempting targets . For example ,
Shabir Bhat , Regional Sales Director , Middle East , Checkmarx a package that was downloaded around 8 million times every week was compromised by an account takeover attack which injected a malicious version of the package into the supply chain . You can imagine how much damage can be done very quickly .
Why is open source a viable target ?
A significant portion of all code contains open source software , which exposes organisations to vulnerabilities . Checkmarx expects Tactics , Techniques and Procedures ( TTPs ) like dependency confusion , typosquatting , repository jacking ( aka Chain Jacking ) and star jacking , to become imminent cyberattack methods due to issues with open source .
What are the hallmarks of successful supply chain attacks and what are the worst outcomes ?
Successful supply chain attacks typically target the weakest link in the supply chain and usually involve the attackers replacing legitimate files with malicious files . These can result in several types of disastrous outcomes , such as ransomware attacks ( Colonial Pipeline ), SolarWinds ( 30K + companies affected ) and the like .
Could you share a few examples of different types of open source supply chain attacks ?
Open source supply chain attacks are designed to confuse developers . Some examples include :
Typosquatting : Attackers purposely misspell package names , which are often common typos , hoping developers will make a mistake or accidently grab a package that looks very similar to the one they are searching for .
Successful supply chain attacks typically target the weakest link in the supply chain and usually involve the attackers replacing legitimate files with malicious files .
74 www . intelligentciso . com