Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Adversaries may target software dependencies and development tools by manipulating libraries, open source (OS) package manager repositories, container images and repositories, and others before they reach to the end user in order to cause data or system compromise.
Developers rely on OS in every step of the software development process and accelerate it by using functionalities implemented in OS libraries or modules written previously by someone else and that has been proven to work correctly. These OS projects rely on contributions and volunteer developers, and typically incorporate many dependencies from other OS projects, which are prone to abuse, both by accidentally incorporating known vulnerabilities or adding intently malicious piece of code.
Since software development relies more and more on OS and OS package manager repositories, these became the new targets and yield exponential opportunities for attackers.
Targeting may be specific to a desired victim set or may be distributed to a broad set of users and acted on specific victims.
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.
Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.
Created: 01 December 2020
Last Modified: 09 December 2020