Attacks on open-source and commercial software will continue to rise in 2023, says a new security vendor report on the software supply chain.<\/p>\n
However, the authors of the report also believe that the increased security measures developers are taking \u2014 particularly on open source platforms like Github, NPM, RubyGems and PyPI \u2014 may slow that growth.<\/p>\n
The conclusion comes in a report on the state of supply chain security issued Monday by ReversingLabs.<\/a> (Registration required)<\/p>\n To bridge the gaps in both the monitoring and detection of supply chain threats and attacks, software developers must scrutinize open-source risks and better co-ordinate work between development teams and security operations centers (SOCs), the report says.<\/p>\n \u201cAlmost two years after word of the SolarWinds hack first spread, software supply chain \u201cIn the commercial sector, attacks that leverage malicious open-source modules continue \u201cThe popular open-source repository NPM, for example, saw close to 7,000 malicious package uploads from January to October of 2022 \u2014 a nearly 100 times increase over the 75 malicious packages discovered in 2020 and 40 per cent increase over all packages discovered in 2021.<\/p>\n \u201cThe Python Package Index (PyPI) was also flooded with tainted open-source modules A number of high-profile organizations including Samsung and Toyota found themselves embarrassed by secrets exposed through open-source repositories that were maintained internally or by third-party contractors, the report adds.<\/p>\n Open source platforms and governments have responded, the report notes. For example, in the U.S., new federal guidance for tightening supply chain security came into effect. That included a practice guide for software suppliers to the federal government issued by the Enduring Security Framework (ESF) Software Supply Chain Working Panel. In September, a memorandum from the Office of Management and Budget required software firms to attest to the security of software and services they license to executive branch agencies.<\/p>\n In 2023, software publishers with U.S. federal contracts will need to clear higher bars \u201cGiven that the threat of supply chain attacks goes beyond publishers that sell to the [U.S.] federal government, all organizations that develop software will need to take similar steps to keep ahead of these threats,\u201d the report says.<\/p>\n Yet there are great challenges. The report notes that GitHub\u2019s security team has reviewed and issued advisories for almost 9,300 vulnerabilities in GitHub modules across all languages. But more than 177,000 advisories related to GitHub modules remain unreviewed, many with \u201ccritical\u201d ratings. These advisories, which constitute 95 per cent of the total vulnerability count, aren\u2019t connected to Github\u2019s Dependabot service, so no warning will be issued for them, the report notes.<\/p>\n The report also points out that this year so-called \u201cprotestware\u201d emerged, in which maintainers of legitimate applications decide to weaponize their software in service of some larger cause. In January, for example, downstream applications with dependence on the The report says application development teams can take four steps to combat growing software supply chain risks:<\/p>\n \u2013go beyond focusing on vulnerability management and code quality to encompass growing \u2013bring release engineers and security engineers together to co-ordinate their \u2013increase focus on finding and closing open-source risks;<\/p>\n \u2013invest in proactive threat hunting.<\/p>\n The post Software supply chain attacks will increase in 2023: Report<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" ReversingLabs says DevOps and IT security teams have to work more closely to meet the threat of third-party<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[349,66,16,28,422],"tags":[470,391,393,733,275],"class_list":["post-32238","post","type-post","status-publish","format-standard","hentry","category-development","category-open-source","category-security","category-software","category-supply-chain","tag-application-developers","tag-di","tag-security-strategies","tag-software-supply-chain","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/32238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=32238"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/32238\/revisions"}],"predecessor-version":[{"id":32334,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/32238\/revisions\/32334"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=32238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=32238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=32238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nattacks have shown no sign of abating,\u201d the authors note.<\/p>\n
\nto multiply. Enterprises saw an exponential increase in supply chain attacks since 2020,
\nand a slower, but still steady rise in 2022.<\/p>\n
\ndesigned to mine cryptocurrency and plant malware, among other things.\u201d<\/p>\n
\nfor software security to meet the new guidelines, including having to attest to the security
\nof their code and \u2014 in some cases \u2014 produce a software bill of goods that provides a roadmap for tracking down supply chain threats, the report says.<\/p>\n
\npopular NPM libraries called \u2018colors.js\u2019 and \u2018faker.js\u2019 found their applications caught in
\nan infinite loop, printing \u2018LIBERTY \u2018LIBERTY LIBERTY\u2019 followed by a sequence of gibberish non-ASCII characters. The incident was intentional \u2014 an act of protest by the maintainer \u201cSquires\u201d for what he perceived as uncompensated use of his libraries by for-profit firms.<\/p>\n
\nsupply chain threats like malware, malicious insiders, and other continuous integration compromises that can lead to unauthorized code changes;<\/p>\n
\nactivities. Security operations centers need to follow attackers as they shift left, broadening their mandate to encompass monitoring of software supply chain threats as part of their overall risk monitoring;<\/p>\n