Software Supply Chain Security

Enhancing software supply chain security is a priority issue for the open-source community. Recent exploitations such as CodeCov, SolarWind, Accellion and few others have damaged the business financially and loss of trust.

Here I would like to start by sharing findings from 8th Annual Report on State of the Software Supply Chain by Sonatype.

After careful analysis of findings from this report, this article reflects on the good practices that create ideal outcomes, and likewise, the poor practices that produce problems. As always, the goal of this article and subsequent is to provoke practices at developer level that improve software supply chain security and create fulfilling work experiences based on followings:

• Ongoing growth of the software supply chain, as well as persistent security concerns.
• Insights on choosing the best dependencies for projects.
• Developer behavior and recommendations.
• A look at enlightened supply chain management and perception versus reality for maturity.
• Current and upcoming regulation status on an international level.

Let us understand it one by one:

Open-source Supply, Demand and Security

The supply of open source continues to grow at an impressive rate. The expansion of the overall volume available combined with the increase in consumption means threats also continue to expand in scope, impact, and volume.

As per the report software supply chain attacks increased another 633% YoY, averaging a 742% average annual increase in software supply chain attacks over the past three years.

Now let us have a look on some of key tactics used in software supply chain attacks.

1. Dependency confusion: A form of attack relying on spoofing internal package names and publishing them to an open source registry with an abnormally high version number.
2. Malicious code injections :A type of attack that leverages a popular component as a vector for the malicious payload. It relies on an adversary gaining access to the source code of a library either through compromise or pretending to be a benevolent open source committer.
3. Typosquatting: An attack that relies on the simple technique of misspelling the name of a popular component and waiting for developers to download the wrong one mistakenly.
4. Protestware: An attack where a maintainer deliberately sabotages their own project to cause harm or malfunction in a way that disrupts its adopters’ work. 

Lessons learned from Log4Shell

• It’s not only the direct inclusion of the code that matters. It’s also the indirect inclusion of all kinds.
• Dependencies may be pulled in as part of a transitive dependency chain for a given program.
• Dependencies might also be embedded into other software in use.
• It’s not enough to know where developers are using Log4j-core

Thanks for reading this article, in subsequent post I will focus on other attributes for software supply chain security.

Please share your feedback and suggestion in comment box. Do like and share with others if you find this work interesting.

Arunkumar VR Anish T S Priyamvadha Vembar Prakash Ramasamy Sureshkumar VS Tamilselvan Sellappan Harishankar VS Major Satish Bhatt (R) Dr. K Rajesh Rao Lakshmi Prathyusha Vedantam

Nihal P. #bgsw #softwaresupplychain #softwaresupplychainsecurity #devsecops #opensourcesoftware #cybersecurity #cybersecurityawareness #cybersecuritytips

Reference: Open Source Dependency Management: Trends and Recommendations (sonatype.com)