There is a complex web of interdependencies required to source, process, manufacture, and transport goods that has to occur before a vehicle is available on a dealer lot, a product is sitting on the shelf at Target, or the Amazon delivery guy shows up at your door. The same is actually true for software today. There is a supply chain of software code involved in delivering an application or service—and attackers are taking advantage of its weaknesses.
Understanding the Supply Chain
The supply chain is one of those things that were always there, but most people didn’t know about it and never thought of it. We shop, and buy, and consume with little understanding of, or regard for the many moving parts that must align to produce goods.
An apple grows on a tree. It’s relatively simple. However, getting the apple from the tree to the produce section at your grocery store requires effort to plant, grow, harvest, sort, clean, and transport the apples. Many factors such as extreme weather, fuel prices, skill and availability of workers, and more all impact the supply chain.
Supply Chain Risk
There is a ripple effect to the supply chain, which is responsible for a number of global issues right now. Seemingly unrelated events at the beginning of the supply chain can cascade and amplify into huge production challenges at the other end. The Covid pandemic, Climate Change, and other factors continue to disrupt regions and industries in ways that are impacting everyone around the world.
There is also increasing supply chain risk for cybersecurity. Successfully attacking thousands of targets is a Herculean task. Threat actors recognized that they could compromise one target further back in the supply chain, and leverage that to gain access to the thousands of companies or individuals that rely on that target.
Open Source Supply Chain
A blog post from Checkmarx explains, “Today’s attackers accomplish that infecting the supply chain of open source libraries, packages, components, modules, etc., in the context of open source repositories, a whole new Pandora’s box can be opened. And as we all know, once you open that box, it’s nearly impossible to close.”
The attack on SolarWinds at the end of 2020 was a supply chain attack. Companies and government agencies around the world use SolarWinds software. Threat actors were able to compromise the SolarWinds software and embed malicious code—which was then downloaded and executed by thousands of customers.
Researchers discussed these issues at the RSA Security Conference 2022 in June. Erez Yalon, VP of Security Research at Checkmarx, and Jossef Harush Kadouri, Head of Engineering for Supply Chain Security at Checkmarx, presented the session, titled “The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack,” revealed insightful research and provided an attackers perspective on open source flows and flaws—and how threat actors can take advantage of software supply chain weaknesses.
Supply Chain Jacking Software
Nation-state cyberattacks and cybercriminals generally seek out the path of least resistance, which is why software supply chain jacking is a growing threat. I spoke with Erez, and Tzachi (Zack) Zornstain, Head of Software Supply Chain at Checkmarx, about the increasing risk.
Zack noted that the way developers write code and create software has evolved. The shift from Waterfall, to Agile, and now to DevOps principles has accelerated and fundamentally changed the process. “There’s a huge rise in speed and velocity of change in the last five years. We are moving towards a future or even a present already that has way more moving parts. Suddenly application security is not only about your code—it’s also about containers, and third party, and open source, and APIs that are talking to each other. Everything out there is somehow connected in all of these small building blocks, and what we see is that the attackers are moving towards it.”
Part of that shift has been an increased use of and dependence on open source code. “80% of the lines of code come from open source,” shared Erez. “So, it’s not a small part of the code. Most of the code in modern applications is from open source.
Leveraging open source code makes sense. It is more expedient to incorporate open source code that performs the needed function. There is also no point in duplicating effort and reinventing the wheel if the code already exists. However, developers—and the organizations that use these applications—need to be aware of the implications of those choices.
The thing about open source software is that anyone can contribute or modify code, and nobody is designated as “responsible” for resolving vulnerabilities or validating that it’s secure. It is a community effort. The belief is that exposing it to the public makes it more secure because it is open for anyone to see the code and resolve issues.
But there are thousands and thousands of open source projects, and many of them are more or less derelict. They are actively used, but not necessarily actively maintained. The original developers have lives and day jobs. The open source code is being provided for free, so there is little incentive to invest continuous effort monitoring and updating it.
Erez and Zack shared with me a couple examples of very popular open source code components being modified in ways that compromised millions of devices running applications that leverage the open source code. One was an example of attackers hijacking the account of a developer of widely used open source code and embedding malicious code in it. The code has been used and trusted for years, and the developer had an established reputation, so it didn’t occur to anyone to question or distrust the code.
That was a malicious takeover. The other example illustrates how supply chain jacking software can be a threat when it is intentional as well. Erez and Zack told me about a developer of a popular open source element who modified his code in support of Ukraine in the wake of Russia’s invasion. The code was changed to effectively brick or wipe computers in Russia. He did not hide the update—the change was made public and he was clear about his motives. However, few organizations in Russia that on his code are actually aware they use his code, and rely even few would have any reason to read his posts or monitor changes on Github.
Software supply chain jacking and issues with the software supply chain in general will continue to expose organizations to risk. Erez summed up, “Basically, the question is whose responsibility is it? We think that because it’s our software, it’s our responsibility.”
Organizations cannot afford to assume that the open source code running in their environments is secure. They also can’t assume that just because the developer has a solid reputation, and the open source code has great reviews, and the code has been used safely for years, that it can be inherently trusted. Erez added, “It’s our job to make sure things are actually working as expected.”