On August 12, software development company Sonatype announced the issuance of its sixth annual State of the Software Supply Chain Report. Key elements of the report included the following:
- Cyberattack Trends: In the past 12 months, the number of next-generation cyberattacks aimed at actively infiltrating open source increased 430 percent over the number in the preceding four years. In February 2015 to June 2019, 216 such attacks were recorded; from July 2019 to May 2020, an additional 929 attacks were recorded.
- Next-Generation Cyberattack Characteristics: The report stated that while legacy software supply chain exploits “prey on publicly disclosed open source vulnerabilities that are left unpatched in the wild,” next-generation software supply chain attacks “are far more sinister because bad actors are no longer waiting for public vulnerability disclosures” but “are taking the initiative and actively injecting malicious code into open source projects that feed the global supply chain.” As a result, this upstream focus allows bad actors to “infect a single component, which will then be distributed ‘downstream’ using legitimate software workflows and update mechanisms.”
- Open-Source Vulnerabilities: Next-generation cyberattacks are possible for three reasons: (1) Because open-source projects “rely on contributions from thousands of volunteer developers,” determining whether community members have good or malicious intent “is difficult, if not impossible”; (2) Open source projects ‘ typical incorporation of “hundreds — if not thousands — of dependencies from other open source projects, which may contain known vulnerabilities”; and (3) The “shared trust” ethos “creates a fertile environment whereby bad actors can prey upon good people with surprising ease.”
- Types of Next-Generation Cyberattacks: Typosquatting was the most common attack identified, and malicious code injection was identified as another common attack.
- Responses to Legacy Software Supply Chain Attacks: The report urged organizations to “establish a ‘rapid upgrade posture’ so they can respond quickly to new zero-day disclosures by finding and fixing vulnerable open source dependencies in production applications.” A 2020 Sonatype survey of 679 development professionals, however, found that only 17 percent of organizations “become aware of new open source vulnerabilities within a day of public disclosure,” 35 percent “find out within one to seven days,” and the remaining 48 percent “become aware of new vulnerabilities after a week’s time.” That survey also found that a majority of respondents (51 percent) “required more than a week to respond.”
The report also contained other findings, concerning the supply and demand for open source, that demonstrate the ubiquity and growth of open source use. It projects, for example, that one trillion JavaScript packages will be downloaded in 2020, with the 10.7 million JavaScript developers around the world downloading an average of 93,457 packages. It also provided extensive discussions of how to identify exemplary open source suppliers, how high-performance teams manage open source software supply chains, the trust and integrity of software supply chains, and the influences of social activism and government standards on open source software.
Note: For some time, the open source field has enjoyed a kind of “halo effect” because of its potential for lower hardware and software costs and its stability, flexibility, and security. The Sonatype report, however , provides a timely reminder that information-security teams need to anticipate both legacy and next-generation cyberattacks on open source software, and to be prepared to respond immediately – not in one or two days or a week – when they become aware of zero-day disclosures. Corporate information-security officers should therefore disseminate the report within their teams, and incorporate key findings into briefing and training materials for senior managers and executives.
Dipping Through Geometries 