Dependency Combobulator: Open source toolkit to combat dependency confusion attacks

Apiiro released Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks.

Dependency Combobulator

The toolkit, available on GitHub, allows organizations to safeguard against this newly uncovered type of risk, which has been on the rise this year as a key vector in supply chain attacks targeting dependencies within software packages.

Dependency confusion compromises the open source software ecosystem by tricking end-users, developers and automation-systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.

Dependency Combobulator enables you to analyze and automate release workflows that can be evaluated against different sources such as GitHub Packages and can be extended to consider additional registries such as JFrog Artifactory.

The toolkit is a Python-based toolkit that supports both the npm and maven package management schemes out-of-the-box, as well as enabling extension into other package management systems. It provides extensibility that enables organizations to adapt to new types of dependency attacks.

It uses a heuristic engine that works on an abstract package model, providing easy extensibility that enables additional insights on individual packages. This depth and flexibility leads to improved decision-making by Application Security practitioners and penetration testers.

Dependency Combobulator is pluggable and can be baked into an enterprise’s application security program and release cycle in an automated way. It can be plugged into several interaction junctions within an enterprise software development lifecycle, providing actionable insights to fit multiple use-cases, and expandable to support additional ones as dependency attacks evolve.

“In the wake of security researcher Alex Birsan’s move to compromise ecosystems maintained by Apple, Microsoft and PayPal earlier this year, the industry experienced an outbreak of similar supply chain attacks,” said Moshe Zioni, VP of Security Research at Apiiro. “We were eager to respond by creating a toolkit that can mitigate similar threats and be flexible and extensible enough to combat future waves of dependency confusion attacks. Addressing this attack vector is essential for organizations to successfully secure their software supply chains.”

Don't miss