Software supply chain security is broader than SolarWinds and Log4J • TechCrunch

1 min


178
117 shares, 178 points

SolarWinds and Log4j have made software supply chain security issues a topic of intense interest and scrutiny for businesses and governments alike.

SolarWinds was a terrifying example of what can go wrong with the integrity of software build systems: Russian intelligence services hijacked the software build system for SolarWinds software, surreptitiously adding a backdoor to a piece of software and hitching a ride into the computer networks of thousands of customers. Log4J epitomizes the garbage-in, garbage-out problem of open source software: If you’re grabbing no-warranties code from the internet, there are going to be bugs, and some of these bugs will be exploitable.

What’s less talked about, though, is that these attacks represent only a fraction of the different types of software supply chain compromises that are possible.

Let’s take a look at some of the lesser-known, but no less serious, types of software supply chain attacks.

Unauthorized commits

This class of attacks describes an unauthorized user compromising a developer laptop or a source code management system (e.g., GitHub) and then pushing code.

A particularly famous example occurred when an attacker compromised the server hosting the PHP programming language and inserted malicious code into the programming language itself. Although discovered quickly, the code, if not corrected, would have enabled widespread unauthorized access across large swaths of the internet.

The security vendor landscape is selling a pipedream that “scanners” and “software composition analysis” wares can detect all of the critical vulnerabilities at the software artifact level. They don’t.

Fortunately, recently developed tools like Sigstore and gitsign reduce the probability of this type of attack and the damage if such an attack does occur.

Publishing server compromise

Recently an attacker, potentially the Chinese intelligence services, hacked the servers that distribute the Chinese messaging app MiMi, replacing the normal chat app with a malicious version. The malware allowed the attackers to monitor and control the chat software remotely.

This attack stems from the fact that the software industry has failed to treat critical points in the software supply chain (like publishing servers or build systems) with the same care as production environments and network perimeters.

Open source package repository attacks

From the Python Package Index, which houses Python packages, to npm, the world’s software now literally depends on vast stores of software packages, the open source software programmer’s equivalent of the Apple App Store.

Source: Tech Crunch


Like it? Share with your friends!

178
117 shares, 178 points

What's Your Reaction?

Cute Cute
16
Cute
Fun Fun
8
Fun
Hate Hate
2
Hate
Confused Confused
18
Confused
Fail Fail
10
Fail
Geeky Geeky
5
Geeky
Love Love
24
Love
OMG OMG
18
OMG
Choose A Format
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Poll
Voting to make decisions or determine opinions
Story
Formatted Text with Embeds and Visuals
List
The Classic Internet Listicles
Countdown
The Classic Internet Countdowns
Open List
Submit your own item and vote up for the best submission
Ranked List
Upvote or downvote to decide the best list item
Meme
Upload your own images to make custom memes
Video
Youtube, Vimeo or Vine Embeds
Audio
Soundcloud or Mixcloud Embeds
Image
Photo or GIF
Gif
GIF format