Why does software supply chain security matter?
What is a software supply chain?
Simply, software supply chain is anything you need from development process to deployment into production. This includes all components you use to develop your product. It is not only contains software but also everything that composes your software and components such as repository, package manager etc. Some points which touches supply chain is that who wrote it, when it was contributed, how it’s been reviewed for security issues, knows vulnerabilities, supported versions, licence information. Furthermore, your packaging and build in scripts or your framework, which your application works on, can be count as parts of supply chain.
Why does it matter for security?
In these days, software dependencies are common almost for every project. While you are developing software, you do not write all functionality yourself that is when open source takes role with its dependencies. Synopsis (2020) report suggests that 99 percentage of codebases contains open sources in 2019. This means that your application contains code that you did not write. Those codes can have high potential security risks according to Kaczorowski (2020). Synopsis (2020) states that 75% of codebases contained vulnerabilities as mentioned in 2020 open source security and risk analysis report. This vulnerabilities can create the worst cases for your production environment because thousands of open source developers have commit access to your repository. I think that this is enough to dream what can be happen in the future.
Example of Supply Chain Attack
If you have interest in secure code development, you may heard event-stream supply chain attack. Event stream is a Node.js library which is used commonly via npm. In the September of 2018, a volunteer wanted to help event-stream in github. An author also gave rights to newcomer to publish repository. The new user added flatmap-stream into event-stream and removed it a few weeks later from codebase but the user did not push the changes into npm. In October, malware is added to flatmap-stream by another user. After that flatmap-stream’s last version which has malware was downloaded with event-stream. Those people who have downloaded event-stream was affected this vulnerable dependency.
How should we protect our components from supply chain attack?
Kaczorowski (2020) states that unpatched software attack is not rare but direct supply chain attacks are limited. Therefore unpatched software creates the biggest risks for supply chain attacks.
Protections tips for developers
- As a developer, we should know what dependencies we use in our environment,
- Regularly follow vulnerabilities exist for those dependencies and patch them,
- Manage dependencies we have in our environment and remove unused ones,
- Be careful before downloading new dependencies for example look at stars on github, weekly download number in npm (However, it does not mean it is a secure dependency 100% from now on).
- Produce a Software Bill of Materials (SBOM) for software packages, updates, and connected device firmware.
What will be next article?
My next article will be npm substitution attacks which is related with supply chain security.
References
Synopsis. (2020). 2020 Open Source Security and Risk Analysis. synopsys.com/software-integrity/resources/a..
Kaczorowski, M. (2020, February 2). Secure at every step: What is software supply chain security and why does it matter? . github.blog/2020–09–02-secure-your-software..
[Photograph with attacker and malicious code]. (2020, December 15). How we can prevent supply chain attacks like the one on SolarWinds [Photograph]. finitestate. finitestate.io/2020/12/15/how-we-can-preven..
