In recent years, hackers have become very sophisticated in the ways they attack upstream development pipelines by introducing vulnerabilities into the software supply chain. The popularity of open source makes those repositories a low-hanging fruit to target.
In an SD Times Live! Event titled “Threat Landscapes: An Upstream and Downstream Moving Target,” Theresa Mammarella, developer advocate at Sonatype, explained how companies can stay vigilant and be prepared for these malicious attacks.
“It becomes harder and harder as there’s more and more layers of software building on top of each other to actually know what’s in these applications,” she explained. For example, you could be using Kubernetes, and that project could be pulling in code from thousands of other projects that you might not even know about. Mammarella labels these as “transitive dependencies.”
According to her, there are three main attack points in a software supply chain. The first is upstream, which involves downloading open-source or third-party componentss. The NPM attack is one example of an upstream attack.
The second is midstream, where an attack takes place somewhere in the development life cycle. An example of this is the Log4j exploit.
And third is downstream, which is when an attack takes place within the deployed application.
“So upstream, midstream, and downstream, this all makes me think of a river,” Mammarella explained. “And there is a good reason for that. Niagara Falls, think about it, the water that is upstream moves faster and spreads more widely than does the water in the midstream or the downstream of a river or waterfall. And those upstream attacks can have the most impact on software supply chains.”
According to Mammarella, of the millions of repositories on GitHub, many of those projects get distributed to hundreds of thousands or even millions of companies. The most popular ones often get targeted the most because they have the most number of downloads and thus are more attractive to attackers.
To learn more about how to protect your software supply chain, watch the recording of the event.