Intelligent CISO Issue 50 - Page 75

Open source supply chain attacks are designed to confuse developers . and providing information about mitigating them .
Dependency Confusion : A Dependency Confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository .
Chain Jacking : Developers often deploy software and packages to public registries for organisations , projects and other developers to implement ; attackers using Chain Jacking techniques will emulate typosquatting techniques . However , they use a legitimate former name of a package developer rather than a similar name .
What is the best practice approach to defending against these attacks ?
Companies need to provide their developers with proactive solutions to safeguard their development ecosystem . This means providing developers with solutions that allow them to treat open source code with the same scrutiny as they treat their own proprietary code .
Also , solutions which address the use of open source code have to start with identifying the OSS packages being used , called directly by application code or included indirectly .
The next step is understanding if any of the packages being used contain vulnerabilities , prioritising vulnerabilities

Open source supply chain attacks are designed to confuse developers . and providing information about mitigating them .

This is all part of Software Composition Analysis . Organisations are now demanding that SCA go further to include hunting for malicious packages in OSS dependencies .
What tools and technologies do organisations need to be able to take a proactive approach to defence ?
Checkmarx offers three great open source products ( Chain Alert , DustiLock and ChainJacking ) that help developers safeguard their environments against a number of supply chain attacks . This technology is available in Checkmarx SCA and constantly runs in the background , helping enterprises build a process for vetting open source packages for not only known vulnerabilities , but for malicious packages too . www . intelligentciso . com
75