• Latest
  • Trending
Securing the Modern Software Supply Chain

Securing the Modern Software Supply Chain

December 3, 2021
How to do Face Detection with Python?

How to do Face Detection with Python?

May 16, 2022
Fullstack Authentication with Remix using Prisma, MongoDB and Typescript

Fullstack Authentication with Remix using Prisma, MongoDB and Typescript

May 16, 2022
Hackers are exploiting critical bug in Zyxel firewalls and VPNs

Hackers are exploiting critical bug in Zyxel firewalls and VPNs

May 16, 2022
Fake Pixelmon NFT site infects you with password-stealing malware

Fake Pixelmon NFT site infects you with password-stealing malware

May 16, 2022
Microsoft fixes new PetitPotam Windows NTLM Relay attack vector

Microsoft fixes new PetitPotam Windows NTLM Relay attack vector

May 16, 2022
EU Agrees New Cybersecurity Legislation for Critical Services Organizations

EU Agrees New Cybersecurity Legislation for Critical Services Organizations

May 16, 2022
Apple releases iOS 15.5 RC, here’s the list of everything new

Apple releases iOS 15.5 RC, here’s the list of everything new

May 13, 2022
MSI Full AMD 300-Series Motherboard Compatibility for Zen 3

MSI Full AMD 300-Series Motherboard Compatibility for Zen 3

May 13, 2022
Gigabyte New Flagship AORUS 17X Gaming Laptop with Extreme Performance

Gigabyte New Flagship AORUS 17X Gaming Laptop with Extreme Performance

May 13, 2022
MediaTek Unveils New AIoT Platform Stack and Genio 1200 AIoT Chip

MediaTek Unveils New AIoT Platform Stack and Genio 1200 AIoT Chip

May 13, 2022
Oracle expands global network of industry innovation labs

Oracle expands global network of industry innovation labs

May 13, 2022
Google announces 30,000 scholarships under African developer scheme

Google announces 30,000 scholarships under African developer scheme

May 13, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Monday, 16 May, 2022
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Securing the Modern Software Supply Chain

by ITECHNEWS
December 3, 2021
in Opinion
0 0
0
Securing the Modern Software Supply Chain

No chain is stronger than its weakest link, and this rule carries into software. The continually connected and updated nature of modern software has dramatically expanded its supply chain and, with it, potential security risks. The Sunburst hack is a glaring example of what that risk entails and how even the most sophisticated organizations are vulnerable when a software provider is attacked. One weak link in the software supply chain, and even the Pentagon can be hacked.

But software supply chain attacks didn’t begin with Sunburst – they’ve been around for a while. In 2017, MEDoc, a Ukrainian accounting software package, was hacked in a supply chain attack, and the malicious NotPetya code caused more than $10bn in damage, disrupting the operations of multinationals including FedEx, Maersk and Merck. In 2013, US retailer Target was attacked via its heating and ventilation supplier, with the hackers gaining access to 40 million debit and credit card accounts. In 2016, a Panama-based law firm was victim to a supply chain attack that leaked 2.6 terabytes of sensitive client data.

YOU MAY ALSO LIKE

How to Protect Your Web Apps Using Anti-CSRF Tokens?

Always Be Modeling: How to Threat Model Effectively

The Mechanics of an Attack

The premise of a supply chain attack is simple. Malicious actors go after third-party software components created and maintained by individuals other than the primary software builder and commonly live in a centralized registry. They exploit design flaws and weaknesses within these third-party components to introduce malicious code (either directly into the consumed source or indirectly through a dependency tree constraint), and this allows them to gain access to internal systems and end-users. It’s not just centralized sources that are vulnerable: decentralized sources of third-party components can be attacked, too. 

Software supply chain attacks are highly dangerous and highly effective. Just as attacking a public cloud gives malicious actors the potential to hit multiple organizations at once, targeting a software supply chain allows them to compromise a wide range of organizations in one hit.

Although these attacks are not a recent phenomenon, their risk is growing. That’s because, in trying to maintain a rapid development pace, software developers have increasingly shifted from coding functionality solely by themselves to assembling applications via a combination of proprietary and open-source code. Today’s code repositories are very different from the repositories of even a few years ago, commonly consisting of proprietary code and open source packages, containers, infrastructure as code and even build configurations. Each of these is a potential attack vector in the software supply chain.

How Developers Can Build in Resistance

The risk may be increasing, but developers can code in resistance to software supply chain attacks. 

The first step is to defend against dependency confusion attacks: a process in which malware is deployed within an organization’s network by overriding privately-used packages with malicious, public packages that use the same name. As part of the software supply chain, developers automatically pull open-source packages using package managers and build tools. If these are not configured only to pull packages from the private registry, packages with the same name can be pulled in from a public code repository.

This design flaw means all an attacker needs to do is scan an organization’s public repository for private package names and upload a malicious package with an identical name. Automated build processes will do the rest and pull in the malicious package instead of the intended, internally-created one. 

To protect against this, developers should be using scoped namescapes in their work. Scoped packages lock the namespace of the package and map it to a specific user or organization, preventing package substitution. Another tactic is to use repo-specific configuration for explicit upstream registry definition, to give package managers like pip and npm explicit guidance so they don’t start looking up the public registry to find a newer version of the package and accidentally pull in a malicious package.

Another step developers should take is disabling arbitrary install commands by open-source packages. By default, some package managers, like npm, allow any package that is being installed or uninstalled to execute arbitrary commands. This leaves organizations wide open to typosquatting attacks or hidden backdoor mechanisms.

The solution is to ensure packages are strictly vetted before installation and aren’t added blindly or via wildly insecure copy and paste. Developers should then add the –ignore-scripts command-line argument to the npm install command to disable the execution of arbitrary commands by packages. It is worth considering adding ignore-scripts to a .npmrc configuration file to disable arbitrary command execution across team projects.

Two-factor authentication (2FA) is also crucial. Although 2FA is a critical yet straightforward way to protect accounts that access registries and ecosystems, in January 2020, it was reported that fewer than 10% of developers on npmjs had 2FA enabled – despite this feature being available since the end of 2017. All developers must enable this feature as in the open-source community, security extends beyond individual concerns and impacts others. 

Collective safety concerns are also a vital issue when openly collaborating on and engaging with open-source software. These actions increase the risk of accidentally leaking or sharing confidential information that is then exposed to the public eye. To avoid this potential data exposure, developers should not be storing sensitive information in a repository, in config or code. They should also avoid publishing packages or Docker images with potentially sensitive information, which could end up in public registries. 

Software supply chains enable our current rapid development rate, but the speed they offer comes at a price. Third-party software components are attractive attack vectors for malicious actors and, without a careful protection plan, developers can leave their organizations incredibly vulnerable to attack. While the developers can’t stop people from hacking and exploiting their systems, they can stop them from finding success. By identifying and fixing supply chain weaknesses and practicing the highest levels of security hygiene, developers can protect themselves and the broader developer community.

Liran Tal Director of Developer Advocacy, Snyk

ShareTweetShare

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

How to do Face Detection with Python?

How to do Face Detection with Python?

May 16, 2022
Fullstack Authentication with Remix using Prisma, MongoDB and Typescript

Fullstack Authentication with Remix using Prisma, MongoDB and Typescript

May 16, 2022
Hackers are exploiting critical bug in Zyxel firewalls and VPNs

Hackers are exploiting critical bug in Zyxel firewalls and VPNs

May 16, 2022

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

How to do Face Detection with Python?

How to do Face Detection with Python?

May 16, 2022
Fullstack Authentication with Remix using Prisma, MongoDB and Typescript

Fullstack Authentication with Remix using Prisma, MongoDB and Typescript

May 16, 2022

Recent News

  • How to do Face Detection with Python? May 16, 2022
  • Fullstack Authentication with Remix using Prisma, MongoDB and Typescript May 16, 2022
  • Hackers are exploiting critical bug in Zyxel firewalls and VPNs May 16, 2022
  • Fake Pixelmon NFT site infects you with password-stealing malware May 16, 2022
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version