There is a complex web of interdependencies necessary to source, process, manufacture and transport goods that must occur before a vehicle is available on a dealer lot, a product is on the Target shelf or the Amazon delivery guy shows up at your door. The same goes for today’s software. There is a supply chain of software code involved in delivering an application or service, and attackers take advantage of its weaknesses.
Understand the supply chain
Supply chain is one of those things that has always been there, but most people didn’t know about it and never thought about it. We buy, buy and consume without understanding or considering the many moving parts that must line up to produce goods.
An apple grows on a tree. It’s relatively simple. However, getting the apple from the tree to the produce section of your grocery store requires effort to plant, grow, harvest, sort, clean and transport the apples. Many factors such as extreme weather conditions, fuel prices, worker skills and availability, etc., all impact the supply chain.
Supply chain risk
There is a ripple effect on the supply chain, which is responsible for a number of global issues right now. Seemingly unrelated events at the start of the supply chain can spill over and amplify into huge production challenges at the other end. The Covid pandemic, climate change and other factors continue to disrupt regions and industries in ways that impact everyone around the world.
There is also a growing supply chain risk for cybersecurity. Successfully attacking thousands of targets is a Herculean task. Threat actors have recognized that they can compromise a target further upstream in the supply chain and leverage that to gain access to the thousands of businesses or individuals that depend on that target.
Open source supply chain
A blog post of checkmarx explains: “Today’s attackers realize that by infecting the supply chain of libraries, packages, components, modules, etc. open source, in the context of open source repositories, a whole new Pandora’s box can be opened. And as we all know, once you’ve opened that box, it’s almost impossible to close it. »
The attack on SolarWinds in late 2020 was a supply chain attack. Businesses and government agencies around the world use SolarWinds software. Hackers were able to compromise SolarWinds software and embed malicious code into it, which was then downloaded and executed by thousands of customers.
Researchers discussed these questions at the RSA Security Conference 2022 in June. Erez Yalonvice president of security research at Checkmarx, and Jossef Harush KadouriEngineering Manager for Supply Chain Security at Checkmarx, presented the session titled “The Simple, But Deadly Anatomy of a Software Supply Chain Attackrevealed insightful research and provided an attacker’s perspective on open source flows and vulnerabilities, and how threat actors can take advantage of weaknesses in the software supply chain.
Software supply chain jacking
Nation-state cyberattacks and cybercriminals typically seek the path of least resistance, which is why software supply chain hacking is a growing threat. I spoke with Erez, and Tzachi (Zack) Zornstainsoftware supply chain manager at Checkmarx, on the growing risk.
Zack noted that the way developers write code and build software has evolved. The move from Waterfall to Agile and now to DevOps principles has accelerated and fundamentally changed the process. “There has been a huge increase in the speed and velocity of change over the past five years. We are moving towards a future or even a present already that has many more moving parts. Suddenly, application security is no longer just about your code, but about the containers, third parties, open source, and APIs that communicate with each other. Everything there is kind of connected in all these little building blocks, and what we see is the attackers heading towards it.
Part of this change has been an increased use and reliance on open source code. “80% of the lines of code are from open source,” Erez said. “So it’s not a small part of the code. Most modern application code comes from open source.
Leveraging open source code makes sense. It is more expedient to incorporate open source code that performs the required function. There’s also no point in duplicating efforts and reinventing the wheel if the code already exists. However, developers and organizations using these applications should be aware of the implications of these choices.
The thing about open source software is that anyone can contribute or modify the code, and no one is designated as “responsible” for fixing vulnerabilities or validating that it’s secure. It’s a community effort. The belief is that exposing it to the public makes it safer because it’s open for anyone to see the code and troubleshoot.
But there are thousands and thousands of open source projects out there, and many of them are more or less abandoned. They are actively used, but not necessarily actively maintained. The original developers have daily lives and jobs. Open source code is provided for free, so there is little incentive to invest continuous effort in monitoring and updating it.
Erez and Zack shared with me some examples of very popular open source code components modified in ways that compromise millions of devices running apps that leverage the open source code. One was an example of attackers hijacking a developer’s account of widely used open source code and embedding malicious code into it. The code has been used and trusted for years, and the developer had an established reputation, so it never occurred to anyone to question or distrust the code.
It was a malicious takeover. The other example illustrates how misappropriation of the software supply chain can also pose a threat when intentional. Erez and Zack told me about a developer of a popular open source item who changed his code to support Ukraine in the wake of the Russian invasion. The code has been modified to effectively block or erase computers in Russia. He didn’t hide the update – the change was made public and he was clear about his motives. However, few organizations in Russia that rely on his code are actually aware that they are using his code, and even fewer would have any reason to read his posts or monitor changes on Github.
Software supply chain hijacking and software supply chain issues in general will continue to put organizations at risk. Erez summed up: “Fundamentally, the question is, whose responsibility is it? We believe that because it’s our software, it’s our responsibility.
Organizations cannot afford to assume that the open source code running in their environments is secure. Nor can they assume that just because the developer has a strong reputation, the open source code has excellent reviews, and the code has been used safely for years that it can be inherently reliable. Erez added, “It’s our job to make sure things actually work as planned.”