Home Cyber Crime Supply chain attacks against the open source ecosystem soar by 650% –...

Supply chain attacks against the open source ecosystem soar by 650% – report


Emma Woollacott

15 September 2021 at 13:49 UTC

Up to date: 15 September 2021 at 13:51 UTC

Dependency confusion has shortly change into the assault strategy of alternative

Software supply chain attacks soar by 650%

The final 12 months has seen an enormous rise within the variety of software supply chain attacks aimed toward upstream public repositories, a brand new report has revealed.

In keeping with Sonatype’s annual State of the Software program Provide Chain Report, such assaults numbered greater than 12,000 – a 650% rise on 2020, which itself revealed a 430% improve on 2019.

‘Dependency confusion’ attacks have shortly change into the most typical type of assault after the method emerged in February, the report finds.

BACKGROUND Software supply chain attacks – everything you need to know

Whereas software program provide chain exploits have tended prior to now to take advantage of publicly-disclosed open source vulnerabilities left unpatched within the wild, the brand new breed of upstream attacka is extra sinister, says Sonatype.

As an alternative of passively ready for vulnerability disclosures, many attackers are proactively injecting new vulnerabilities into open supply initiatives that feed the worldwide provide chain, after which exploiting the vulnerabilities they’ve created.

In style versus unpopular initiatives

Sonatype, a DevSecOps automation specialist, additionally discovered that almost three in 10 of the preferred Java, JavaScript, Python, and .NET initiatives comprise not less than one recognized safety vulnerability, in contrast with simply 6.5% of comparatively seldom used initiatives.

Nevertheless, probably the most extensively used initiatives usually tend to have efficient remediation processes in place, in response to Matt Howard, SVP and CMO of Sonatype.

“Whereas extra widespread initiatives have extra recognized vulnerabilities general, builders utilizing them are additionally much less more likely to be caught in a state of affairs the place there’s a recognized vulnerability however no remediation path,” he tells The Each day Swig.

“This suggests that leveraging widespread initiatives could be a nice possibility, however provided that you’ll be able to actively handle these dependencies and guarantee you’re shifting to newer and non-vulnerable variations in a well timed method.”


Worryingly, the report revealed a disconnect between actuality and notion the place safety is anxious.

Whereas growth groups imagine they’re doing an excellent job fixing faulty parts and suppose they perceive the place threat resides, the target information tells a unique story, argues Sonatype. Actually, says the report, they make suboptimal choices 69% of the time when updating third-party dependencies.

Read more of the latest open source software security news

“After we evaluate these solutions to the target evaluation we did round 100,000 purposes, it’s clear the vast majority of growth groups will not be actively working towards the kind of hygiene indicated within the survey responses,” says Howard.

“Objectively, the analysis reveals that the majority growth groups will not be following structured steerage with regard to dependency administration and, because of this, they aren’t actively remediating recognized threat inside their software program provide chains.”

Automating away errors

Sonatype believes that automation might be the reply. Outfitted with clever automation, it says, a medium-sized enterprise with 20 software growth groups would save a complete of 160 developer days a 12 months, representing $192,000.

“The price of performing suboptimal upgrades to a single part, for a single workforce, for a single software is small,” says Howard. “Nevertheless, when contemplating the truth that solely 31% of improve choices examined in our examine had been optimum, it’s simple to see how a lot effort and time builders might save by constantly making higher improve choices.”

The significance of getting these choices proper was underlined final week when GitHub identified a number of high-severity vulnerabilities in Node.js packages tar and @npmcli/arborist, which might be exploited to realize arbitrary code execution.

The final 12 months has seen a number of high-profile software program provide chain assaults, together with the SolarWinds hack that affected round 18,000 of the agency’s clients, and the ransomware assault that encrypted the info of greater than 1,000 Kaseya VSA customers.

RELATED PoC released for Ghostscript vulnerability that exposed Airbnb, Dropbox

Source link