Supply Chain Risk in the Software Process
I have been talking a lot about supply chain risk lately and there is a good reason. From open source products with backdoors like Webmin or Rubygems to NotPetya a few years ago which shut down many companies around the world to the recent attacks against SolarWinds or Centreon, supply chain attacks are running rampant.
There is a good reason for this – we have not, historically, paid enough attention to them, so they work very well.
Here is a new attack that works against the software development process.
Security researcher Alex Birsan posted a blog on February 9th that detailed how he used dependency, or namespace confusion to push malicious proof of concept code to organizations like Microsoft, Apple, Tesla, Uber and others. It is not because these companies are stupid. They are not. It is because we are not paying enough attention to the problem.
The good news is that he is a good guy and wasn’t trying to take down the world.
I am not going into total-geek with details of why this attack works, but right after the vulnerability was announced, hundreds of copycats were released into the wild. And still are being released – knowing that some companies will ignore or not understand the problem and remain vulnerable, potentially forever.
Not surprisingly, the root of the problem is the tradeoff between security and convenience.
The problem is that if the bad guys are sophisticated, developers will not detect the problem because their malicious code won’t activate until a trigger event happens and all of the normal functionality works correctly.
The researcher who launched the test attack called the results simply astonishing. I don’t think the copycats were launching mock attacks.
For more details on how this attack works, read the article here.