Checkmarx published an inaugural monthly report this week that finds 56% of the attacks against software supply chains that it analyzed resulted in the theft of credentials and confidential data.
More than a quarter of attacks (28%) employed some form of dependency confusion and typosquatting to mislead developers, while 16% of attacks involved malware and backdoor injections.
Jossef Harush Kadouri, head of software supply chain security for Checkmarx, said while there’s not yet any previous data to compare, it’s apparent cybercriminals are actively exploiting weaknesses in software supply chains in the hopes of compromising downstream applications.
Sadly, far too many organizations that build software have yet to adopt DevSecOps best practices to better detect these attacks. While there are some instances of sophisticated attacks against software supply chains that involve dropping and adding scripts and components to software, most of the tactics and techniques being used by cybercriminals, such as typosquatting, are well understood, said Harush Kadouri.
Unfortunately, many organizations still don’t vet the code being downloaded from, for example, an open source software repository. Cybercriminals create fake repositories loaded with malware that are deliberately misspelled because they know some developers won’t look close enough at the URL directing them to that repository, noted Harush.
Because that repository was located on an otherwise legitimate platform, there’s an assumption it’s safe to download components, added Harush Kadouri.
It’s not clear how widely compromised software supply chains are, but given the amount of stolen developer and administrator credentials, cybersecurity teams should assume they are compromised. The core issue is that far too many developers are concerned about the velocity at which applications are built than they are necessarily, whether those applications have known vulnerabilities or if malware was injected without their knowledge.
The challenge is making sure developers are aware of the issue and using the tools provided to discover those issues as applications are built and deployed, said Harush Kadouri.
Of course, many developers would prefer it if those tasks were performed on their behalf by someone else. Many lack any meaningful cybersecurity expertise and complain when the cognitive load for building applications is already too high. Being responsible for application security only slows down the rate at which application code is being written at a time when the application development backlog only continues to grow. To address that issue, organizations need to define a set of best DevSecOps practices that minimize disruption to application development workflows as much as possible.
One way or another, it’s only a matter of time before more stringent regulations force the issue. The Biden administration has already issued an executive order requiring federal agencies to lock down software supply chains. That order provides a foundation that inevitably will be applied across a wider range of regulations.
Hopefully, cybersecurity teams will be working more closely with application development teams to improve software supply chain security before any mandates make it a requirement. In the meantime, however, every insecure application that winds up being deployed in a production environment only serves to increase the probability of a major crisis that, in most cases, was probably avoidable.
Recent Articles By Author