Identifying OSS Security Risks To Safeguard Software Supply Chains

Uploaded on 2024-03-05 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Software development has seen something of a revolution over the past decade, with the leading force behind this being the rise of open source. Alongside the rise of open source software (OSS) itself, a dedicated community has formed leading to the creation of repositories where software packages can be held, shared and utilised. Of these, the npm stands out as one of the world's largest software development tools and repositories dedicated to housing JavaScript packages.

Despite the obvious advantages of open source, it’s not immune from misuse, with bad actors utilising repositories to disseminate compromised software and threaten the security of the overall software supply chain.

A recent npm registry violation has shown just how quickly these threats can arise, highlighting the urgent need for organisations to strengthen their risk management strategies.

Misuse of Open Source Repositories

The npm registry plays a crucial role for developers, allowing them to publish and access software components effortlessly. Sonatype recently discovered a significant surge in multimedia packages flooding the npm registry from a user named 'wlwz.' While multimedia assets are often a legitimate part of software applications, this particular asset dump was noteworthy because of its volume (748 packages were uploaded) and content – each package contained partial video clips, which appear to be extracted movies from pirated Blu-Rays and DVDs. 

Though pirated content may seem to be a relatively minor violation, even minor misuse of OSS carries significant dangers as it clouds the clarity of these repositories, and goes directly against their intended purpose, which is to host software projects. Operating in a muddied environment makes it easier for malicious actors to disguise harmful components, making it difficult for developers to distinguish between legitimate software and potentially malicious components. Developers may unknowingly integrate these components into their projects as a result, posing a serious risk to the integrity and security of the software.

The Content Verification Challenge

Over the last two to three years, there have been hundreds of reports about OSS registries being infiltrated by crypto-miners, spam packages, and dependency confusion attacks. Alongside unintentionally disseminating malware, registries can have OSS components that are vulnerable to zero-day attacks, like Log4Shell. These incidents reflect a concerning trend in the evolution of user tactics, with attackers demonstrating greater complexity and sophistication in their methods. Unchecked, attacks like these threaten the integrity of entire repositories which, due to their widespread use, threatens the entire software supply chain.

The SolarWinds Orion Platform hack is an example of how widespread and devastating these attacks can be. Malicious code can undermine software hygiene, leading to data breaches, interconnected system intrusions, and system compromises. The infiltrations extend the risk to customers, partners, and stakeholders, resulting in reputational damage and financial losses.

With such high stakes, one of the key challenges developers face is distinguishing between legitimate and malicious packages on OSS repositories. While some multimedia assets may not be dangerous, others could conceal harmful payloads like trojan malware and other malicious programs.

Robust security measures and continuous monitoring are crucial to detect and mitigate such threats effectively, safeguarding the software supply chain's resilience against future breaches.

Importance Of Security

Bad actors don’t just rely on highly choreographed and sophisticated attacks, sometimes their tactics are relatively benign. Some of these are insidiously simple but nonetheless effective. These tactics include account takeovers, brand jacking, and typosquatting – where attackers upload corrupted packages with names similar to popular ones already in use.

Distinguishing between legitimate and malicious code on OSS registries presents a significant challenge. The sheer scale of this issue and the variety of tactics unfortunately means that human intelligence alone cannot adequately monitor every package and identify the corrupted ones. Multiply this by the number of dependencies on any given software package and the true scope of the problem comes to light. Therefore, it's vital to stress the importance of implementing effective DevSecOps solutions with automation to help uphold platform integrity.

Misuse of open source registries poses risks that escalate through the development lifecycle. Hosting illicit content undermines trust and security, as it can potentially impact interconnected systems. Considering that vulnerabilities can have far-reaching consequences and threaten the resilience and trustworthiness of the entire software supply chain, protecting these platforms is critical.

Safeguarding The Software Supply Chain

Safeguarding the software supply chain is a shared responsibility for developers, administrators, and organisations. Enforcing strict security protocols and upholding platform terms of service are crucial steps in discouraging non-software content hosting and maintaining platform integrity. Developers must adhere to industry best practices and refrain from uploading irrelevant content to ensure the reliability of software components.

By raising awareness about misuse and implementing these preventive measures, the open source community can effectively mitigate the risks posed by repository misuse and maintain the integrity of the software supply chain. Partnerships and vigilance will ensure that open source remains a trusted and valuable resource for developers worldwide in their new project builds. 

Ax Sharma is a Security Researcher at Sonatype 

Image: Ideogram

You Might Also Read: 

Cyber Criminals Exploit Legitimate Software:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Surge in “Hunter-Killer” Malware

« British Navy Combines With The Japanese Military To Counter Cyber Attacks
Insights From An Early Adopter Of Microsoft 365 Copilot »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Synovum

Synovum

Synovum was formed with the intention to provide high quality advice, consultancy, training and project management services to clients in all sectors of industry.

Computest

Computest

Computest security testing services include Mobile app security, Vulnerability assessments, Attack & penetration testing, Security awareness training, Network security assessments.

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) is the Directorate of MCIT responsible for the security of critical information infrastructures in Afghanistan.

Carbonite

Carbonite

Carbonite offers all the tools necessary for protecting data from the most common forms of data loss, including ransomware, accidental deletions, hardware failures and natural disasters.

CyberGuru

CyberGuru

CyberGuru is a service provided by CyberSecurity Malaysia specializing in cyber security professional training and development.

jobsDB.com

jobsDB.com

jobsDB Singapore is a search engine for jobs throughout Singapore.

DKBInnovative

DKBInnovative

DKBinnovative is a best-practice driven IT management firm that provides secure, reliable IT solutions to productivity-focused clients around the globe.

Sertainty

Sertainty

Sertainty enables developers to mix intelligence into data files for active risk mitigation and data control. Discover the impact of Data: Empowered.

Realsec

Realsec

RealSec is an international company and is a developer of encryption and digital signature systems and Blockchain for the Banking and Methods of Payment sectors, Government and Defense and Multisector

Nine23

Nine23

Nine23 are a highly focused cyber security solutions company that defines, builds and manages innovative services, enabling end-users to use technology securely in today’s workplace.

Nuts Technologies

Nuts Technologies

Nuts Technologies are simplifying data privacy and encryption with our innovative and novel data containers we call nuts based on our Zero Trust Data framework.

Splashtop

Splashtop

Splashtop’s cloud-based, secure, and easily managed remote access solution is increasingly replacing legacy approaches such as virtual private networks.

VMware

VMware

VMware is a leading provider of multi-cloud services for all apps, enabling digital innovation with enterprise control.

PROVINTELL Cyber Security

PROVINTELL Cyber Security

PROVINTELL is a Managed Security Service Provider (MSSP) specialising in Next-Gen Cyber Defense and Response to detect and respond to threats.

Prikus Tech

Prikus Tech

Prikus is a full-fledged Cyber Security Company helping organizations worldwide to manage cyber risks. We offer Risk & Compliance Services, Security Testing & Managed Security Services.

BLOCX

BLOCX

BLOCX is designed to address the ever-growing challenges of managing and securing digital devices, from personal computers to corporate networks.