Dependency confusion has quickly become the attack technique of choice

The last year has seen a massive rise in the number of software supply chain attacks aimed at upstream public repositories, a new report has revealed.

According to Sonatype’s annual State of the Software Supply Chain Report, such attacks numbered more than 12,000 – a 650% rise on 2020, which itself revealed a 430% increase on 2019.

‘Dependency confusion’ attacks have quickly become the most common form of attack after the technique emerged in February, the report finds.


BACKGROUND Software supply chain attacks – everything you need to know


While software supply chain exploits have tended in the past to exploit publicly-disclosed open source vulnerabilities left unpatched in the wild, the new breed of upstream attacka is more sinister, says Sonatype.

Instead of passively waiting for vulnerability disclosures, many attackers are proactively injecting new vulnerabilities into open source projects that feed the global supply chain, and then exploiting the vulnerabilities they’ve created.

Popular versus unpopular projects

Sonatype, a DevSecOps automation specialist, also found that nearly three in 10 of the most popular Java, JavaScript, Python, and .NET projects contain at least one known security vulnerability, compared with just 6.5% of comparatively seldom used projects.

However, the most widely used projects are more likely to have effective remediation processes in place, according to Matt Howard, SVP and CMO of Sonatype.

“While more popular projects have more known vulnerabilities overall, developers using them are also less likely to be stuck in a situation where there is a known vulnerability but no remediation path,” he tells The Daily Swig.

“This implies that leveraging popular projects can be a great option, but only if you can actively manage these dependencies and ensure you are moving to newer and non-vulnerable versions in a timely manner.”

Self-delusion

Worryingly, the report revealed a disconnect between reality and perception where security is concerned.

While development teams believe they are doing a good job fixing defective components and think they understand where risk resides, the objective data tells a different story, argues Sonatype. In fact, says the report, they make suboptimal decisions 69% of the time when updating third-party dependencies.


Read more of the latest open source software security news


“When we compare those answers to the objective analysis we did around 100,000 applications, it’s clear the majority of development teams are not actively practicing the type of hygiene indicated in the survey responses,” says Howard.

“Objectively, the research shows that most development teams are not following structured guidance with regard to dependency management and, as a result, they are not actively remediating known risk within their software supply chains.”

Automating away errors

Sonatype believes that automation could be the answer. Equipped with intelligent automation, it says, a medium-sized enterprise with 20 application development teams would save a total of 160 developer days a year, representing $192,000.

“The cost of performing suboptimal upgrades to a single component, for a single team, for a single application is small,” says Howard. “However, when considering the fact that only 31% of upgrade decisions examined in our study were optimal, it is easy to see how much time and effort developers could save by consistently making better upgrade decisions.”

The importance of getting these decisions right was underlined last week when GitHub identified several high-severity vulnerabilities in Node.js packages tar and @npmcli/arborist, which could be exploited to achieve arbitrary code execution.

The last year has seen several high-profile software supply chain attacks, including the SolarWinds hack that affected several US government agencies, Microsoft, and FireEye, among other organizations, and the ransomware attack that encrypted the data of more than 1,000 Kaseya VSA customers.

Correction: This article originally stated, incorrectly, that 18,000 organizations were affected by the SolarWinds attack. In fact, around 18,000 organizations downloaded the vulnerable software, but a much smaller number were actually targeted by attackers. This was rectified on the day of publication. 


RELATED PoC released for Ghostscript vulnerability that exposed Airbnb, Dropbox