Software supply chain attacks grew by more than 300% in 2021 compared to 2020, according to a study by Argon Security.
According to the study, researchers discovered attackers focused most heavily on open source vulnerabilities and poisoning, code integrity issues, and exploiting the software supply chain process and supplier trust to distribute malware or backdoors. They found that the level of security across software development environments remains low, and significantly, every company evaluated had vulnerabilities and misconfigurations that can expose them to supply chain attacks.
Findings were based on a six-month analysis of customer security assessments conducted by Argon’s researchers to determine the state of enterprise security and readiness to defend against software supply chain attacks.
“The number of attacks over the past year and the widespread impact of a single attack highlights the massive challenge that application security teams are facing,” said Eran Orzel, Senior Director of Argon Customer Success and Sales. “Unfortunately, most teams lack the resources, budget, and knowledge to deal with supply chain attacks. Add to that the fact that to address this attack vector AppSec teams need cooperation from development and DevOps teams, and you can understand why this is a tough challenge to overcome.”
Three primary areas of risk
1. Vulnerable packages usage: Open source code is part of almost all commercial software. Many of the open source packages in use have existing vulnerabilities, and the process of upgrading to a more secure version requires effort from development and DevOps teams. It is not surprising that this is one of the fastest-growing methods of carrying out supply chain attacks. There are two common attacks that leverage vulnerable packages:
- Exploiting existing vulnerabilities — Exploiting packages’ existing vulnerabilities to obtain access to the application and execute the attack. (Example: the recent Log4j cyberattacks)
- Package poisoning — Planting malicious code in popular open source packages, and private packages to trick developers or automated pipeline tools into incorporating them as part of the application build process. (Example: the us-parser-js package poisoning)
2. Compromised pipeline tools: Attackers can take advantage of privileged access, misconfigurations, and vulnerabilities in the CI/CD pipeline infrastructure (e.g., source code management system, build agent, package registries and service dependencies), which provide access to critical IT infrastructure, development processes, source code and applications.
A compromised CI/CD pipeline can expose an application’s source code, which is the blueprint of the application, the development infrastructure and processes. It enables attackers to change code or inject malicious code during the build process and tamper with the application (e.g., SolarWinds).
This type of breach is hard to identify and can cause a lot of damage before it is detected and resolved. Attackers also use compromised package registries to upload compromised artifacts instead of legitimate ones. In addition, there are dozens of external dependencies connected to the pipeline that can be used to access it and launch attacks (e.g., Codecov).
3. Code/artifact integrity: One of the main risk areas identified in Argon’s research is the upload of bad code to source code repositories, which directly impacts the artifact quality and security posture. Common issues that were found in most customer environments were sensitive data in code (secrets), code quality and security issues, infrastructure as code issues, container image vulnerabilities and misconfigurations. In many cases the number of issues discovered were overwhelming and required dedicated cleanup projects to reduce exposure, such as secret cleaning, standardizing container image and others.
“The software supply chain process is a core component of the modern application development lifecycle. Leaving this wide attack vector open, threatens to severely lower companies’ application security posture, potentially exposing sensitive data and creating additional entry points into the application in runtime,” said Orzel. “In many cases, there is no visibility for security teams into this process until it is too late, as most companies do not have preventative capabilities within the CI/CD tools and processes.”
Protecting the software supply chain
To combat the problem, security teams need to bolster collaboration with DevOps teams and implement automation of security within development processes. Organizations should adopt new security solutions that are designed to secure the software development process against this new wave of sophisticated attacks.