Are we Forever Doomed to Software Supply Chain Security?

Rate this content
Bookmark

The adoption of open-source software continues to grow and creates significant security concerns for everything from software supply chain attacks in language ecosystem registries to cloud-native application security concerns. In this session, we will explore how developers are targeted as a vehicle for malware distribution, how immensely we depend on open-source maintainers to release timely security fixes, and how the race to the cloud creates new security concerns for developers to cope with, as computing resources turn into infrastructure as code.

This talk has been presented at TestJS Summit 2021, check out the latest edition of this JavaScript Conference.

FAQ

Software supply chain risks refer to the vulnerabilities and threats that can arise from the use of third-party software components, especially open-source software, in application development. These risks can include malicious code insertion, dependency vulnerabilities, and compromised software packages.

Open-source software significantly impacts software supply chain risks because it is widely used in application development. The openness of these ecosystems, like NPM and Java, makes them susceptible to vulnerabilities and malicious attacks, as anyone can publish or modify packages.

The Event Stream incident was a high-impact targeted attack on the JavaScript ecosystem in 2018. A malicious actor gained maintainer access to the Event Stream package, added a malicious dependency, and distributed backdoored versions of the package, compromising applications that used it.

Software security awareness is crucial for developers because they often use open-source software, which can be a vector for security vulnerabilities and malicious attacks. Being aware of these risks and adopting best practices helps in mitigating potential threats and ensuring safer software development.

According to research, it takes an average of about 100 days for maintainers of JavaScript and Python open-source projects to start mitigating newly published security vulnerabilities. This timeframe can vary between different ecosystems.

Developers play a fundamental role in mitigating software supply chain risks by being vigilant about the dependencies they use, regularly scanning for vulnerabilities, applying security patches promptly, and following best practices for secure coding and package management.

Ken Thompson's essay, Reflections on Trusting Trust, highlights the difficulty in detecting malicious code like backdoors and Trojan horses in software. He demonstrated how deeply embedded vulnerabilities can go unnoticed unless the entire software stack is built from scratch by the developer.

Notable incidents include the Event Stream incident in 2018, the Electronative Notify attack in 2019, and the UA parser.js hijacking in 2021. These incidents involved malicious actors gaining access to popular packages and injecting malicious code, affecting numerous applications and users.

Maintaining security in open-source software ecosystems is challenging due to the sheer volume of code, the decentralized nature of development, and the ease with which anyone can publish or modify packages. This openness can lead to overlooked vulnerabilities and opportunities for malicious attacks.

Measures to improve the security of open-source software packages include enabling two-factor authentication (2FA) for maintainer accounts, conducting regular vulnerability scans, adopting best practices for secure coding, and using tools like SIG store to ensure the authenticity and integrity of packages.

Liran Tal
Liran Tal
17 min
18 Nov, 2021

Comments

Sign in or register to post your comment.

Video Summary and Transcription

The Talk discusses the importance of software security and the risks associated with open-source software supply chains. It highlights real-world stories of developers' involvement in security incidents and emphasizes the need to trust the software we use. The Talk also addresses the vulnerabilities and targeted attacks that come with the growing dependency on open-source software. It explores the security risks in open-source dependencies, open-source ecosystems, and the future of open source software. Additionally, it provides insights into choosing the best vulnerability scanning software and promoting supply chain security practices.

1. Introduction to Software Supply Chain Risks

Short description:

In this part, I discuss the importance of software security and the risks associated with open-source software supply chains. I share real-world stories of developers' involvement in security incidents and emphasize the need to trust the software we use. Additionally, I highlight the growing dependency on open-source software and the vulnerabilities and targeted attacks that come with it. I also mention Ken Thompson's essay on trusting trust and how developers have been targeted to distribute malicious code. Lastly, I mention the Event Stream incident as an example of a targeted attack on developers in the JavaScript ecosystem.

Hi, everyone, and thank you for joining my talk, Are We Forever Doomed by Software Supply Chain Risks? If you joined this talk, then it means you care about software and you care about software security, which is great. Most of all, you probably are curious, like I am, how does open-source software supply chain risks impact all of us? You, me, everyone here.

So I wanted to begin this with interesting stories, such as, let's take a moment to reflect on this picture, what you're seeing on your screen right now. And what comes to your mind? Is it a futuristic outlook of the world, like the robots? Are they uprising and becoming a key part of our lives? Perhaps it's other things, like how much does the robot actually learn and upload all of that to the cloud? You know, where is it stored? Is it stored safely? What happens when someone can do something malicious with that data? Most of all, what happens if someone hacks in and interacts with my child? This is my kid, if so to say. And what happens when that interaction takes place, when someone is able to compromise that? So, yeah, that's where we are getting started, you know. These are some of the things that are keeping me up at night.

Today I would like to share with you some real-world stories of how developers play a fundamental role in recent and growing security incidents. And also, you know, why should you care about security, software security and software supply chain risks? And also, leave you off to think about who you actually trust.

So, in case you had a doubt, we're seeing more and more open source software being developed. Year after year, right, open source software repositories are growing with more and more open source software and that is more software footprint. The thing is the application that we build are ever-growing in their dependency of open source software, not just the fact that we're using open source software, but the applications themselves are using more and more of that as well. So, more of us, basically, software engineers, are now accustomed to the way of how people work in open source, like opening issues and becoming maintainers of open source. More and more of us are maintainers of open source software and that growth of open source software doesn't come without any risks, right? This is why we're all here, because we care about it.

We are continuously witnessing the growth of open source software security vulnerabilities in these ecosystems, like NPM and Java and others and this could be anything from CVE-based vulnerability reports that when you install a software you get that installation that said, you know, there are 1,000 vulnerabilities there. What happens when that takes place? Also the incidents themselves of malicious packages and different targeted attacks on developers because us as developers, we rely on open source software packages and so we are targeted as well and we'll get to that right now.

Let's rewind back, first of all, in time to get an early glimpse of how one developer perceived the risks of open source software. So in 1984, the Turing Award-winning Ken Thompson wrote a short essay titled, Reflections on Trusting Trust, in which he describes how he added a backdoor to the Unix login C program and then he continued and added a backdoor to the C compiler and then he added a backdoor further on with his chains of attacks into the compiler that compiles the C program, that compiles the compiler. Right, so in his paper here about Reflections on Trusting Trust, he actually explains how software can be taught to learn specific traits and pass them on. So, realistically, it is very, very hard to find the traces of things like Trojan horses and backdoors unless you have actually written everything from scratch. And I mean everything such as the compiler, the linker, the CPU, the display that you're watching something, the keyboard, everything. It is very hard to trust an ecosystem. So as we learned by Thompson's Trojan horse story, this is dating back to 1984, developers have been targeted as a vehicle to distribute malicious backdoors and other sorts of malware for a very long time now.

Let's explore some of these incidents. I'm sure you've probably heard of some of them. In 2018, the JavaScript ecosystem witnessed its first high impact, spearheaded, targeted attack on maintainers and developers alike where they are working in open source in the ecosystem themselves and actually have been the attack target, the vehicle as well to actually distribute malicious JavaScript code to all of us using those software. And so the attack itself targeted also developers using open source, specifically a Bitcoin wallet application. And this was the well-known Event Stream incident. Event Stream existed on the NPM registry since 2011, for a very long time now, as you could see. It's practically didn't receive any new releases in the last two years. But gained millions of downloads per week.

2. Security Risks in Open-Source Dependencies

Short description:

Someone unexpectedly offers to help with a project and opens a pull request. Unbeknownst to the original maintainer, the trusted individual introduces a dependency with a backdoor. The dependency is then included in new versions of the software, compromising its security. This incident occurred with the Event Stream package, resulting in the distribution of a malware-infected Bitcoin wallet application for three months.

Out of the blue someone chimes in and say, I wanna help. They get into the project, they help, they open a pull request as you normally do in open-source software. One of those pull requests later has actually introduced the dependency. At that point in time, this was a trusted individual. So they received a different kind of like access to the repository, and publishing new packages, and new versions of that package, and so on. And later on when they added that dependency, now that dependency exists in a different state, and they could just add that backdoor to that new version that they released. And now new versions of Event Stream that use that dependency pull that, the new version in, and they get that dependency with the backdoor that now the original maintainer of Event Stream did not know about. They did not know that this is happening and they can't control it. Because this is how software package managers work in specific ecosystems like NPM, like others. So this actually resulted in two versions of the copy Bitcoin wallet application, including the malware, three months. For three months until we found this, this is the Event Stream one.