A report sponsored by DevOps company JFrog suggests that executives over-estimate the extent to which developers within their organization defend against vulnerable or malicious packages in the software supply chain.
According to a new global survey of both executives and developers, 92 percent of executives believe there are solutions in place to detect malware in open-source packages, but only 70 percent of developers agree.
JFrog advocates the use of AI/ML (artificial intelligence and machine learning) tools in security scanning and remediation, and here again there is a disconnect, with 88 percent of executives believing this is in place, but only 60 percent of developers.
The software supply chain refers to all the code and tools used to produce or update software, including not only application development but also third-party tools. Security is difficult to manage, in part because of lack of visibility. When a serious and easily exploited vulnerability was discovered in the Log4J open source library, it impacted not only developers but also other applications using the library, and discovering these was not trivial.
Another common attack is via package registries such as npm, PyPi, Maven and NuGet. Developers may unknowingly install a compromised package by grabbing another package for which it is a dependency; or by mistakenly typing the name of a package with a similar name to one that is well known, and getting a compromised variant instead.
The package registries have tightened security in response. For example, since January this year, PyPi requires 2FA (two-factor authentication) for all users. Npm requires 2FA for high-impact packages, defined as those with more than 1 million weekly downloads or more than 500 dependents, and has introduced publishing with provenance, where a package has a verified link to its source code, though this “does not guarantee the package has no malicious code.”
Despite these efforts, malicious packages continue to be published. JFrog research publishes a list of those it has identified, showing that PyPi remains a common source, though most have few downloads.
Another means of attack is where a malicious actor achieves trust within a particular project, perhaps with initially helpful contributions, and then goes on to insert malware. This happened with the xz Linux library and the committer “Jia Tan”. The compromised component made it all the way into development versions of Debian, Fedora RawHide, Kali Linux, and openSUSE Tumbleweed, before being detected by a developer, Andres Freund, who noticed performance issues with ssh (secure shell) and traced them to a backdoor in xz.
JFrog claims that use of many programming languages “increases attack surfaces and makes protection more challenging.” According to the report, more than half of respondents use more than four languages and a third use more than 10. That is unlikely to change though, since different languages are optimal for different tasks.