2021 can be described as the year of the software supply chain attack – the year in which SolarWinds opened the world’s eyes, and the extent of the threat became apparent.
Apart from SolarWinds, other major attacks included Kaseya, Codecov, ua-parser-js and Log4j. In each case, the attraction for the attacker is that a single breach, compromise or vulnerability in distributed code can lead to multiple – even thousands – of victims.
Following a six-month analysis of customer security assessments conducted by Argon (an Aqua Security company), the 2021 Software Supply Chain Security Report highlights the primary areas of criminal focus: open-source vulnerabilities and poisoning; code integrity issues; and exploiting the software supply chain process and supplier trust to distribute malware or backdoors.
The common factor is open-source software – a source of code that is often inherently trusted and used automatically by in-house system developers.
“The number of attacks over the past year and the widespread impact of a single attack highlights the massive challenge that application security teams are facing,” comments Eran Orzel, a senior director at Argon. “Unfortunately, most teams lack the resources, budget, and knowledge to deal with supply chain attacks. Add to that the fact that to address this attack vector AppSec teams need cooperation from development and DevOps teams, and you can understand why this is a tough challenge to overcome.”
Argon’s analysis highlights three primary problem areas: vulnerabilities in open-source applications, compromised pipeline tools, and code/artifact integrity.
Vulnerable application supply chain attacks focus on two areas: abusing vulnerabilities in applications that are already widely distributed and installed, and poisoning packages at source prior to downloads. A 2021 example of the former is the Log4j attacks, while an example of the latter is the us-parser-js package poisoning.
The second attack vector is compromised pipeline tools. “It enables attackers to change code or inject malicious code during the build process and tamper with the application (as was the case of SolarWinds),” says the report (PDF). “Attackers also use compromised package registries to upload compromised artifacts instead of legitimate ones. In addition, there are dozens of external dependencies connected to the pipeline that can be used to access it and launch attacks,” such as the Codecov attack.
The third risk area identified by the researchers is the upload of bad code to source code repositories. This impacts the artifact quality and security posture. In its research, the report notes, “In many cases, the number of issues discovered was overwhelming and required dedicated cleanup projects to reduce exposure, such as secret cleaning, standardizing container images, and other activities.”
Overall, Argon believes that the number of software supply chain attacks tripled in 2021 compared to 2020. This has not gone unrecognized. The May 2021 Biden executive order includes supply chain attacks as an area of concern. More recently, on January 13, 2022, a White House summit involving representatives of the U.S. government and major tech companies discussed open source software security.
The success of open-source software supply chain attacks in 2021 makes it almost certain that it will remain an important part of criminal activity – for both criminal gangs and nation-state actors – throughout 2022. “We should expect this trend to accelerate in the frequency and sophistication of supply chain attacks,” warns the report.
Argon recommends that security teams and DevSecOps practitioners need to work together to define and execute a new security strategy and initiatives that account for the risks inherent in the software supply chain. “They must bolster the security of their development environments to better protect their application infrastructure, processes, and deployed software to be ready for the next wave of these advanced attacks,” it says.
Comments