SolarWinds and Log4j have made software program provide chain safety points a subject of intense curiosity and scrutiny for companies and governments alike.
SolarWinds was a terrifying instance of what can go incorrect with the integrity of software program construct methods: Russian intelligence providers hijacked the software program construct system for SolarWinds software program, surreptitiously including a backdoor to a bit of software program and hitching a journey into the pc networks of hundreds of consumers. Log4J epitomizes the garbage-in, garbage-out downside of open supply software program: If you happen to’re grabbing no-warranties code from the web, there are going to be bugs, and a few of these bugs will probably be exploitable.
What’s much less talked about, although, is that these assaults signify solely a fraction of the several types of software program provide chain compromises which are potential.
Let’s check out a few of the lesser-known, however no much less severe, kinds of software program provide chain assaults.
This class of assaults describes an unauthorized consumer compromising a developer laptop computer or a supply code administration system (e.g., GitHub) after which pushing code.
A very well-known instance occurred when an attacker compromised the server hosting the PHP programming language and inserted malicious code into the programming language itself. Though found rapidly, the code, if not corrected, would have enabled widespread unauthorized entry throughout giant swaths of the web.
The safety vendor panorama is promoting a pipedream that “scanners” and “software program composition evaluation” wares can detect the entire vital vulnerabilities on the software program artifact stage. They don’t.
Publishing server compromise
Lately an attacker, probably the Chinese language intelligence providers, hacked the servers that distribute the Chinese messaging app MiMi, changing the traditional chat app with a malicious model. The malware allowed the attackers to watch and management the chat software program remotely.
This assault stems from the truth that the software program business has did not deal with vital factors within the software program provide chain (like publishing servers or construct methods) with the identical care as manufacturing environments and community perimeters.
Open supply package deal repository assaults
From the Python Package Index, which homes Python packages, to npm, the world’s software program now actually will depend on huge shops of software program packages, the open supply software program programmer’s equal of the Apple App Retailer.