Kiuwan logo

Do Open-Source Dependencies Cause Supply Chain Attacks?

Supply chain attacks graphic

If an organization uses open-source software (OSS) dependencies, it should be on red alert for supply chain attacks. Cyber threat actors have recently become more skilled at attacking open-source code and software. In 2021, 64% of organizations experienced software supply chain attacks, and approximately 70% lacked the right policies for using open source. The experts predict that software supply chain attacks will only grow in 2022. Businesses adopting hybrid work and cloud technologies will become easy targets. 

Although OSS provides many advantages, such as affordability and flexibility, the programs and their components can introduce security risks and vulnerabilities to a company. However, avoiding OSS is not a practical solution since open source software and dependencies now form the backbone of many tasks. For instance, an OSS is one of the most popular NoSQL databases on the internet, MongoDB. Many developers use MongoDB to store, retrieve, and manage data when creating applications and software. 

Since organizations cannot afford to avoid using OSS, cybersecurity teams need to implement an effective open-source management strategy to dodge and mitigate associated risks and vulnerabilities. Read on to learn how to do this.

How to Avoid and Mitigate Risks Associated With OSS Dependencies

Most companies have invested in cybersecurity products such as antivirus, user behavioral analytics tools, firewalls, and SIEMs. However, many of them have not adopted open source management strategies that will help them test the effectiveness of these tools. As such, they remain vulnerable to open source software dependency risks, even if they have “next-gen” cybersecurity tools.

Organizations must implement advanced security approaches to their open-source management strategy to protect themselves from risks. These approaches prevent threat actors from attacking a company’s systems and help the organization analyze, detect, and respond to threat actors’ actions. Here’s what businesses can do:

Use Trusted OSS Dependencies 

The advantages of the OSS lie in many free modules and dependencies. While many of these are worthwhile additions, some may contain malicious code and vulnerabilities that threat actors can use to hack IT systems. Accordingly, companies need to be careful when installing and using OSS dependencies. They should only choose the modules and dependencies that are:

  1. Not misspelled: There is a type of attack called type-squatting, in which threat actors misspell popular dependencies with malicious code. Once downloaded, these dependencies will be gateways for hackers to access, delete, and modify data.
  2. Well-documented and maintained: Teams should only choose dependencies and modules with ample documentation and regularly maintained patches. Documentation and updates ensure that vulnerabilities will be addressed and patched. They also reduce the risk of a threat actor adding malicious code.

Perform Red Team Tests to Evaluate Risks to the Supply Chain

Many organizations have adopted adversary simulation engagements to anticipate and mitigate the impact of supply chain attacks on open source software dependencies. In these tests, a “red” team uses the techniques, tactics, and procedures that threat actors use to sabotage a supply chain. The stand-in for the organization’s cybersecurity team (the “blue” team) then responds to their attacks.

This approach allows the organization’s cybersecurity team to learn more about attacks. From there, they can create detailed processes for responding to attacks effectively. To get the most out of these simulations, organizations should look for an experienced partner to help them conduct attack tests. The partner should be able to provide detailed feedback about their team’s performance and aid businesses in upgrading tools and processes as needed.

Companies adopting this approach must train their cybersecurity team to understand how to use all their cybersecurity tools to prevent and mitigate attacks. Specifically, they should focus on:

  • How threat actors’ attacks work step-by-step
  • The gaps in their organization’s security stack and incident response playbooks
  • The unpredictability of an advanced threat actor using new techniques and tools or exploiting unpatched software and zero-day vulnerabilities
  • How to use their organization’s complete security stack against threat actors’ attack paths

Reduce Dependency Confusion

Organizations that use third-party code and internal libraries in their apps are at risk of dependency confusion attacks. Also known as supply chain substitution attacks, happen when a software installer script gets tricked into accessing a malicious code file from a public or external library instead of the intended file of the same name from an internal library.

Microsoft’s whitepaper has listed three ways to mitigate the risk of dependency confusion attacks:

  1. Control the scope. If the package installer supports scope control, the organization can prevent it from retrieving internal packages from public repositories. 
  2. Use a single private package feed. Cybersecurity teams should pull dependent public packages into their repository to keep them under control. However, this means they must manually update the public package versions.
  3. Implement client-side verification. Integrity verification in the package manager will stop the build if anomalies or unexpected changes in the dependent files are detected.

Scan Oss for Known Vulnerabilities

Finally, companies should use scanning software to defend themselves from open-source software vulnerabilities. These programs search through a package’s OSS modules and dependencies and compare them to other versions and packages to see if an organization’s application has vulnerabilities. Some programs, like Kiuwan Insights Open Source (SCA), also automate code management so development teams can feel confident about using open source code.

Experience the Kiuwan Insights Open Source 

Remediating open-source software dependencies can be challenging, especially if a company is new to open-source management. Fortunately, Kiuwan Insights Open Source (SCA) offers a tangible approach for remediating open-source resource vulnerabilities. 

Kiuwan Insights Open Source is a DevSecOps-friendly software composition analysis program that helps organizations reduce risk from third-party components, ensure code security, remediate vulnerabilities, and automate policies throughout the Software Development Life Cycle (SDLC). It also helps companies:

  • Generate an accurate and complete list of all open-source and third-party components and modules in applications and builds.
  • Avoid obsolescence by managing their libraries, checking for updates, identifying security issues, and tracking versions.
  • Detect threats by investigating each open source component’s security risks.

Get a free demo today to learn more about how Kiuwan Insights Open Source can make a difference in your business operations. 

In This Article:

Request Your Free Kiuwan Demo Today!

Request a Demo

Get Your FREE Demo of Kiuwan Application Security Today!

Identify and remediate vulnerabilities with fast and efficient scanning and reporting. We are compliant with all security standards and offer tailored packages to mitigate your cyber risk within the SDLC.
FREE DEMO

Related Posts

Empower Your DevSecOps With Kiuwan

Subscribe to our Newsletter!
Products
SAST SCA Add-Ons
Resources
Blog Webinars eBooks Product Documentation Videos Partner Program
About Us
About Kiuwan Success Stories Contact Us Support Legal Privacy Policy
Kiuwan-Supply-Chain-Attachs-By-OOS
© 2025 Kiuwan. All Rights Reserved.