Are Supply Chain Attacks Caused by Open Source Software (OSS) Dependencies?

March 28, 2022

WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.

If an organization uses open source software (OSS) dependencies, it should be on the red alert for supply chain attacks. Cyber threat actors have become more skilled at attacking open source code and software in recent years. In 2021, a whopping 64% of organizations experienced software supply chain attacks, and approximately 70% of them lacked the right policies for using open source. The experts predict the software supply chain attacks will only grow in 2022. As businesses continue to adopt hybrid work and cloud technologies, they will become easy targets. 

Although OSS provides many advantages, such as affordability and flexibility, the programs and their components can introduce security risks and vulnerabilities to a company. However, avoiding OSS is not a practical solution since open source software and dependencies now form the backbone of many tasks. For instance, one of the most popular NoSQL databases on the internet, MongoDB, is an OSS. Many developers use MongoDB to store, retrieve, and manage data when creating applications and software. 

Since organizations cannot afford to avoid using OSS, cybersecurity teams need to dodge and mitigate risks and vulnerabilities associated with it by implementing an effective open-source management strategy. Read on to learn how to do this.

6AqGxbv5lnEZtAK7XNgKKGmth84EMLQqfPXw753gnlOtNGze lAq3rONL nqDcL0jo2quSn 5g Y88ZefMaktTNTubjDBTquvL5 cyLVqdojHt36X80dERvSfIySZLaZ7fbT6wJA BMBHUHMAU

How to Avoid and Mitigate Risks Associated With OSS Dependencies

Most companies have invested in cybersecurity products such as antivirus, user behavioral analytics tools, firewalls, and SIEMs. However, many of them have not adopted open source management strategies that will help them test the effectiveness of these tools. As such, they remain vulnerable to risks associated with open source software dependencies, even if they have “next-gen” cybersecurity tools.

Organizations need to implement advanced security approaches to their open-source management strategy to protect themselves from risks. These approaches do not just prevent threat actors from attacking a company’s systems — they also help the organization to analyze, detect and respond to threat actors’ actions. Here’s what businesses can do:

Use Trusted OSS Dependencies 

The advantages of the OSS lie in a lot of free modules and dependencies. While many of these are worthwhile additions, some may contain malicious code and vulnerabilities that threat actors can use to hack IT systems. Accordingly, companies need to be careful when installing and using OSS dependencies. They should only choose the modules and dependencies that are:

  1. Not misspelled: There is a type of attack called type-squatting where threat actors misspell popular dependencies with malicious code. Once downloaded, these dependencies will serve as gateways for the hacker to access, delete, and modify data.
  2. Well-documented and maintained: Teams should only choose dependencies and modules with ample documentation and regularly maintained patches. Documentation and updates ensure that vulnerabilities will be addressed and patched. They also reduce the risk of a threat actor adding malicious code.

Perform Red Team Tests to Evaluate Risks to the Supply Chain

Many organizations have adopted adversary simulation engagements to anticipate and mitigate the impact of supply chain attacks on open source software dependencies. In these tests, a “red” team uses the techniques, tactics, and procedures that threat actors use to sabotage a supply chain. The stand-in for the organization’s cybersecurity team (the “blue” team) then responds to their attacks.

This approach allows the organization’s cybersecurity team to learn more about attacks. From there, they can create detailed processes for responding to attacks effectively. To get the most out of these simulations, organizations should look for an experienced partner to help them conduct attack tests. The partner should be able to provide detailed feedback about their team’s performance and aid businesses in upgrading tools and processes as needed.

If companies decide to adopt this approach, they need to train their cybersecurity team to understand how to use all their cybersecurity tools to prevent and mitigate attacks. Specifically, they should focus on:

  • How threat actors’ attacks work step-by-step
  • The gaps in their organization’s security stack and incident response playbooks
  • The unpredictability of an advanced threat actor using new techniques and tools or exploiting unpatched software and zero-day vulnerabilities
  • How to use their organization’s complete security stack against threat actors’ attack paths

Reduce Dependency Confusion

Organizations that use the 3rd party code and internal libraries in their apps are at risk of dependency confusion attacks. Also known as supply chain substitution attacks, these happen when a software installer script gets tricked into accessing a malicious code file from a public or external library instead of the intended file of the same name from an internal library.

Microsoft’s whitepaper has listed three ways to mitigate the risk of dependency confusion attacks:

  1. Control the scope. If the package installer supports scope control, the organization can prevent it from retrieving internal packages from public repositories. 
  2. Use a single private package feed. Cybersecurity teams should pull dependent public packages into their repository to keep them under control. However, this means they will have to update the public package versions manually.
  3. Implement client-side verification. Integrity verification in the package manager will stop the build if it detects anomalies or unexpected changes in the dependent files.

Scan Oss for Known Vulnerabilities

Finally, companies should defend themselves from open source software vulnerabilities by getting the scanning software. These programs will search through the OSS modules and dependencies of a package and compare them to other versions and packages to see if an organization’s application has vulnerabilities. Some programs, like Kiuwan Insights Open Source (SCA), will also automate code management so development teams can feel confident about using open source code.

Experience the Kiuwan Insights Open Source 

Remediating open source software dependencies can be challenging, especially if a company is new to open source management. Fortunately, Kiuwan Insights Open Source (SCA) steps in with a tangible approach for remediating open-source resource vulnerabilities. 

Kiuwan Insights Open Source is a DevSecOps-friendly software composition analysis program that helps organizations reduce risk from third-party components, ensure code security, remediate vulnerabilities, and automate policies throughout the Software Development Life Cycle (SDLC). It also helps companies:

  • Generate an accurate and complete list of all open-source and third-party components and modules in applications and builds.
  • Avoid obsolescence by managing their libraries, checking for updates, identifying security issues, and tracking versions.
  • Detect threats by investigating each open source component’s security risks.

Get a free demo today to learn more about how Kiuwan Insights Open Source can make a difference in your business operations. 

Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.