Identifying OSS Security Risks To Safeguard Software Supply Chains

Uploaded on 2024-03-05 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Software development has seen something of a revolution over the past decade, with the leading force behind this being the rise of open source. Alongside the rise of open source software (OSS) itself, a dedicated community has formed leading to the creation of repositories where software packages can be held, shared and utilised. Of these, the npm stands out as one of the world's largest software development tools and repositories dedicated to housing JavaScript packages.

Despite the obvious advantages of open source, it’s not immune from misuse, with bad actors utilising repositories to disseminate compromised software and threaten the security of the overall software supply chain.

A recent npm registry violation has shown just how quickly these threats can arise, highlighting the urgent need for organisations to strengthen their risk management strategies.

Misuse of Open Source Repositories

The npm registry plays a crucial role for developers, allowing them to publish and access software components effortlessly. Sonatype recently discovered a significant surge in multimedia packages flooding the npm registry from a user named 'wlwz.' While multimedia assets are often a legitimate part of software applications, this particular asset dump was noteworthy because of its volume (748 packages were uploaded) and content – each package contained partial video clips, which appear to be extracted movies from pirated Blu-Rays and DVDs. 

Though pirated content may seem to be a relatively minor violation, even minor misuse of OSS carries significant dangers as it clouds the clarity of these repositories, and goes directly against their intended purpose, which is to host software projects. Operating in a muddied environment makes it easier for malicious actors to disguise harmful components, making it difficult for developers to distinguish between legitimate software and potentially malicious components. Developers may unknowingly integrate these components into their projects as a result, posing a serious risk to the integrity and security of the software.

The Content Verification Challenge

Over the last two to three years, there have been hundreds of reports about OSS registries being infiltrated by crypto-miners, spam packages, and dependency confusion attacks. Alongside unintentionally disseminating malware, registries can have OSS components that are vulnerable to zero-day attacks, like Log4Shell. These incidents reflect a concerning trend in the evolution of user tactics, with attackers demonstrating greater complexity and sophistication in their methods. Unchecked, attacks like these threaten the integrity of entire repositories which, due to their widespread use, threatens the entire software supply chain.

The SolarWinds Orion Platform hack is an example of how widespread and devastating these attacks can be. Malicious code can undermine software hygiene, leading to data breaches, interconnected system intrusions, and system compromises. The infiltrations extend the risk to customers, partners, and stakeholders, resulting in reputational damage and financial losses.

With such high stakes, one of the key challenges developers face is distinguishing between legitimate and malicious packages on OSS repositories. While some multimedia assets may not be dangerous, others could conceal harmful payloads like trojan malware and other malicious programs.

Robust security measures and continuous monitoring are crucial to detect and mitigate such threats effectively, safeguarding the software supply chain's resilience against future breaches.

Importance Of Security

Bad actors don’t just rely on highly choreographed and sophisticated attacks, sometimes their tactics are relatively benign. Some of these are insidiously simple but nonetheless effective. These tactics include account takeovers, brand jacking, and typosquatting – where attackers upload corrupted packages with names similar to popular ones already in use.

Distinguishing between legitimate and malicious code on OSS registries presents a significant challenge. The sheer scale of this issue and the variety of tactics unfortunately means that human intelligence alone cannot adequately monitor every package and identify the corrupted ones. Multiply this by the number of dependencies on any given software package and the true scope of the problem comes to light. Therefore, it's vital to stress the importance of implementing effective DevSecOps solutions with automation to help uphold platform integrity.

Misuse of open source registries poses risks that escalate through the development lifecycle. Hosting illicit content undermines trust and security, as it can potentially impact interconnected systems. Considering that vulnerabilities can have far-reaching consequences and threaten the resilience and trustworthiness of the entire software supply chain, protecting these platforms is critical.

Safeguarding The Software Supply Chain

Safeguarding the software supply chain is a shared responsibility for developers, administrators, and organisations. Enforcing strict security protocols and upholding platform terms of service are crucial steps in discouraging non-software content hosting and maintaining platform integrity. Developers must adhere to industry best practices and refrain from uploading irrelevant content to ensure the reliability of software components.

By raising awareness about misuse and implementing these preventive measures, the open source community can effectively mitigate the risks posed by repository misuse and maintain the integrity of the software supply chain. Partnerships and vigilance will ensure that open source remains a trusted and valuable resource for developers worldwide in their new project builds. 

Ax Sharma is a Security Researcher at Sonatype 

Image: Ideogram

You Might Also Read: 

Cyber Criminals Exploit Legitimate Software:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Surge in “Hunter-Killer” Malware

« British Navy Combines With The Japanese Military To Counter Cyber Attacks
Insights From An Early Adopter Of Microsoft 365 Copilot »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

totemo

totemo

Totemo offers solutions for the secure exchange of business information.

Redshift Consulting

Redshift Consulting

Redshift is an information management and information security consulting company offering a full range of services from infrastructure design to security assessments and network monitoring.

Sistem Integra (SISB)

Sistem Integra (SISB)

SISB provide IT Security Infrastructure & Development, Mechanical & Electrical Services, Fire Safety & Detection Services, Facilities Management & Application Development.

KIOS Center of Excellence (KIOS CoE)

KIOS Center of Excellence (KIOS CoE)

KIOS carries out top level research in the area of Information and Communication Technologies (ICT) with emphasis on the Monitoring, Control and Security of Critical Infrastructures.

Agility Networks

Agility Networks

Agility Networks is a technology company providing integrated services and solutions for Digital Transformation and Cyber Security.

Rule4

Rule4

Rule4 is a global professional services firm that provides practical, real-world knowledge and solutions in areas including cybersecurity, AI, Machine Learning and industrial control systems.

Panorays

Panorays

Panorays automates third-party security lifecycle management. It is a SaaS-based platform, with no installation needed.

PixelPlex

PixelPlex

PixelPlex is a blockchain and custom software development company with offices and developers in New York, Geneva, and Seoul.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

AWS Marketplace eBook: Optimizing your cloud deployments to accelerate cloud activities, reduce costs, and improve customer experience.

BriskInfosec Technology & Consulting

BriskInfosec Technology & Consulting

BriskInfosec provides information security services, products and compliance solutions to our customers.

Raman Power Technologies

Raman Power Technologies

Raman Power Technologies focus on bringing value and solving business challenges through the delivery of modern IT services and solutions including cybersecurity.

Cloud Seguro

Cloud Seguro

Cloud Seguro are leaders in the development of cloud solutions, Ethical Hacking, Privacy and Information Security.

Darknone Global

Darknone Global

Darknone is a consortium of elite hackers and security leaders united by an unbridled passion for augmenting the security of the digital realm.

SIEM Xpert

SIEM Xpert

SIEM Xpert is a leader in Cyber Security Trainings and services since 2015.

Clumio

Clumio

Clumio provides autonomous backup and recovery for critical cloud data.