Checkmarx released its first monthly report this week, finding that 56% of software supply chain attacks it analyzed resulted in the theft of credentials or sensitive data.
More than a quarter (28%) of attacks use some form of dependency confusion and typosquatting to mislead developers, and 16% of attacks include malware and backdoor injection. I did.
Joseph Harsh Kaduri, head of software supply chain security at Checkmarx, said that although there is no previous data to compare, cybercriminals are actively exploiting weaknesses in the software supply chain with the goal of compromising downstream applications. He said that it is clear that the company is abusing it.
Unfortunately, many organizations building software have not yet adopted DevSecOps best practices to better detect these attacks. Although there are some examples of sophisticated attacks on the software supply chain that involve dropping or adding scripts or components to software, most of the tactics and techniques used by cybercriminals, such as typosquatting, are not well understood. Harsh Qadri said.
Unfortunately, many organizations still do not vet code downloaded from sources such as open source software repositories. Cybercriminals know that some developers don't look closely enough at the URLs that point to their repositories, so they create fake repositories loaded with intentionally misspelled malware, Harsh said. Point out.
Since the repository was located on a legitimate platform, there was an assumption that it was safe to download the components, Harash Kadouri added.
It's unclear how widely the software supply chain has been compromised, but given the amount of stolen developer and administrator credentials, cybersecurity teams should assume they have been compromised. . The core problem is that too many developers are building their applications faster than they should, without knowing whether the application has any known vulnerabilities or whether malware has been unknowingly injected. That's what I'm concerned about.
The challenge is to make sure developers are aware of the issues and use the tools provided to spot them as they build and deploy applications, Harsh Kaduri said.
Of course, many developers would like these tasks to be performed by others on their behalf. Many companies lack meaningful cybersecurity expertise and complain that the cognitive load of building applications is already too high. Taking responsibility for application security will only slow down the creation of application code while the application development backlog continues to grow. To address this issue, organizations must define a set of DevSecOps best practices that minimize disruption to application development workflows as much as possible.
In any case, it is only a matter of time before stricter regulations force this issue. The Biden administration has already issued an executive order requiring federal agencies to shut down software supply chains. This order necessarily provides the basis for application across a broader range of regulations.
Hopefully, cybersecurity teams will work more closely with application development teams to improve software supply chain security before it becomes mandatory. But in the meantime, insecure applications that end up in production only increase the likelihood of a major crisis, which in most cases was probably avoidable.
Recent articles by author
