Hackers are becoming increasingly sophisticated and calculated in the ways in which they deliver attacks upstream in the software supply chain. There are growing numbers of organized attackers whose sole focus is exploiting vulnerabilities in open source ecosystems, frequently by making their malware appear legitimate. What’s new is the intensity, volume, frequency, and severity of malicious attacks. The popularity of open source makes repositories the ideal watering hole attacks — poison the well and all who drink from it are impacted. Once malicious code gets into machines and build environments, it can end up in internal corporate networks and in the final product.

 

We must become ever more vigilant in our coding practices as we represent a clear red target with exponential cascading impacts. We need to be prepared for multiple permutations in the types of malicious targeting, whether on us as developers specifically, or upstream or downstream of us. Top that off with needing to still be aware of legacy software supply chain “exploits,” like Log4j where attackers prey on publicly disclosed open source vulnerabilities left unpatched in the wild. Your teams need to understand the changing landscape and help put developer-first security tools in place across an organization.

 

DMCA.com Protection Status