New research tracks four-fold increase in attacks that seed open source ecosystem with malicious components

Upstream attacks on open source supply chains up 400% as cybercriminals look to compromise applications at scale

There has been a dramatic surge in cyber-attacks in which malicious components are planted in open source libraries, a new report reveals.

Published today (August 12), Sonatype’s sixth annual State of the Software Supply Chain report recorded a 430% rise in these “next generation” attacks, which proactively seed the open source ecosystem with vulnerabilities rather than leveraging previously disclosed zero-day flaws.

Some 929 such attacks were recorded across a 10-month period spanning July 2019 through May 2020, compared to just 216 in more than four years between February 2015 and June 2019.

Infiltrating the ecosystem

Purporting to be regular software developers, open source supply chain attackers post purportedly useful components that contain malicious code onto ‘upstream’ open source repositories.

These backdoors then flow ‘downstream’ into the software builds used by countless organizations.

Unlike traditional attacks, where assailants race to write and deploy exploit code quicker than security teams can apply the relevant patches, cybercriminals can begin covertly exploiting vulnerable systems before the threats are detected, let alone remediated.

The Daily Swig reported on one such attack in June, where the Octopus Scanner, a NetBeans backdoor, compromised the build processes of 26 open source projects.

BACKGROUND How Octopus Scanner malware attacked the open source supply chain

And in April, security researchers at Reversing Labs found that typosquatters had seeded a RubyGems repository with a malicious package with a name that closely resembled a legitimate component.

That attackers are creating their own opportunities to exploit open source builds “should come as no surprise”, says Sonatype CEO Wayne Jackson.

“Following the notorious Equifax breach of 2017, enterprises significantly ramped investments to prevent similar attacks on open source software supply chains,” he explains.

“Our research shows that commercial engineering teams are getting faster in their ability to respond to new zero-day vulnerabilities.”

Supply chain securitySoftware supply chain attacks allow criminals to compromise applications at scale

Race to remediate

Some 14% of organizations surveyed by Sonatype, a DevOps automation specialist, typically remediated security vulnerabilities within 24 hours of becoming aware of them.

Another 35% patched flaws between one day and a week after discovery.

However, with the average time from vulnerability disclosure to active breach plummeting from 45 days to three between 2008-2018, many organizations are still far too slow to remediate.

Around one in two respondents only became aware of new open source vulnerabilities a week after detection (47%). It then took 17% of those surveyed between 1-6 months to apply patches, while 3% of organizations took longer still.

The consequences of such a sluggish response were starkly illustrated in May when 21 companies were compromised during the active abuse of flaws on the SaltStack infrastructure automation platform within days of their public disclosure.

Ballooning attack surface

The open source attack surface is burgeoning.

Based on current trends, Sonaytpe expects to see around 1.5 trillion component download requests to be made across 2020 among all major open source ecosystems, up from 10 billion in 2012.

The number of npm packages currently stands at around 1.3 million, a 63% year-on-year jump, with 40% containing dependencies with known vulnerabilities.

Some 11% of open source components built into applications contain known vulnerabilities, with 38 known vulnerabilities discovered on average per application.

The speed-security trade-off myth

Based on a survey gauging the policies, practices, and tools used by developers in a range of sectors, Sonatype grouped organizations into four categories based on their productivity and risk management standards.

The most effective teams on both barometers deployed code changes 15 times more frequently and were 26 times faster at detecting and remediating open source vulnerabilities, than their counterparts at organizations who were less productive, less effective at mitigating risks, or both.

Read more of the latest open source software security news

“It was really exciting to find so much evidence that this much-discussed trade-off between security and productivity is really a false dichotomy,” says Dr Stephen Magill, principal scientist at Galois and CEO of MuseDev.

“With the right culture, workflow, and tools development teams can achieve great security and compliance outcomes together with class-leading productivity.”

Sonatype’s findings were based on a survey of more than 5,600 software developers, an evaluation of 24,000 open source projects, and assessments of 15,000 development organizations.

INTERVIEW Sonatype’s Brian Fox on open source security and ‘drama-free’ DevSecOps