014_SDT049.qxp_Layout 1 6/25/21 1:54 PM Page 14
14
SD Times
July 2021
www.sdtimes.com
INDUSTRY SPOTLIGHT
How Hackers Can Poison Your Code Hackers are always looking for new attacks were recorded. Then, from July ways to compromise applications. As 2019 to May 2020, an additional 929 languages, tools and architectures attacks occurred. These next-generaevolve, so do application exploits. And tion supply chain attacks are increasing the latest target is developers. for three reasons. Traditionally, software supply chain First, open-source projects rely on exploits, such as the Struts incident at contributions from thousands of volunEquifax, depended on an organization’s teer developers and it’s difficult or failure to patch a known vulnerability. impossible to discern between memMore recently, supply chain attacks have bers with good or malicious intent. taken a more sinister turn because bad Second, when malicious code is actors are no longer waiting for public secretly injected “upstream” to the vulnerability disclosures. Instead, they’re injecting malicious code into opensource projects, or building ‘How can you be sure that what was malicious components that feed the global supply chain. okay a year ago No one in the enterprise, is still okay?’ including developers, knows — Brian Fox, CTO, Sonatype all of the components that an application comprises, nor do they understand all the dependencies associated with those developer via open source, it’s highly components. It’s a potential liability likely that no one realizes the malware issue that, combined with a demand for exists, except for the person who plantgreater transparency, has fueled the ed it. This approach allows adversaries adoption of software composition analy- to surreptitiously set traps upstream sis (SCA) and software bill-of-materials and carry out attacks downstream once (SBOM) tools. the vulnerability has moved through “We’ve created package managers the supply chain into the wild. that make it easy and fast for developers Finally, open-source projects typicalto reuse binary components which ly incorporate hundreds or thousands of arguably makes them more productive, dependencies from other open-source but those tools also introduce transitive projects, many of which contain known dependencies,” said Brian Fox, CTO of vulnerabilities. While some open-source Sonatype. “If I pull one thing, that thing projects demonstrate exemplary pulls in its dependencies and in Java it’s hygiene as measured by mean time to not uncommon to see a 10x or even remediate (MTTR) and mean time to 100x explosion. In JavaScript it’s even update (MTTU), many others do not. worse, 100x to 1,000x.”
Why Approved Component Lists Don’t Help Next-Gen Supply Chain Attacks Growing According to Sonatype’s 2020 State of the Software Supply Chain report, the number of next-generation cyberattacks actively targeting open-source projects have been rising rapidly. From February 2015 to June 2019, 216 such Content provided by SD Times and
The dynamic nature of software development is at odds with approved component lists because the lists are not to be updated as often as they should be. The task is too complex and time-consuming for humans. “There are millions of components if
you include the multiple ecosystems that are out there, and they’re changing four, 10, 100 times a year. How can you be sure that what was okay a year ago is still okay?” said Fox. “People are still using Struts because it’s on their approved list even though it’s been a level 10 vulnerability for about 15 years now.” Modern enterprises need the ability to define policies that can be applied to individual components, whether the rule is based on licensing, the age of the component, the popularity of the component or other criteria. Once the policy has been defined, it can be executed automatically. “With tooling, you can inspect the software, run those policies, understand why a certain component wasn’t used in this application and recommend a better one. By codifying all that, you can avoid walking over to legal, architecture or security to ask permission,” said Fox. While static and dynamic analysis tools help identify problems in code, their capabilities may not extend to third-party code because there are too many code paths to evaluate. So, the vast majority of code may not be scanned. In addition, when a developer downloads and runs a malicious component, that component could install a back door on their system. Similarly, with continuous integrations, the poisonous code can seep even further into the pipeline. “Attackers are now focused on the developers and the development infrastructure as the way into the organization,” said Fox. “That way, they can bypass all the enterprise security stuff like firewalls. By abstracting the sheer complexity of applications’ components and their dependencies into policies, you can provide developers with guardrails that help improve application security and those developers don’t have to ask others in the organization for permission every time.” Learn more at www.sonatype.com. z
