Supply chain attacks more than triple in 2021
Software supply chain attacks grew by more than 300 percent in 2021 compared to 2020 as attackers focused on open source vulnerabilities and poisoning, code integrity issues, and exploiting the software supply chain process and supplier trust to distribute malware or backdoors.
According to Aqua Security's Argon Security arm, 2021 Software Supply Chain Security Review, security across software development environments remains low, and significantly, every company evaluated had vulnerabilities and misconfigurations that could expose them to supply chain attacks.
"The number of attacks over the past year and the widespread impact of a single attack highlights the massive challenge that application security teams are facing," says Eran Orzel, senior director of Argon customer success and sales. "Unfortunately, most teams lack the resources, budget, and knowledge to deal with supply chain attacks. Add to that the fact that to address this attack vector AppSec teams need cooperation from development and DevOps teams, and you can understand why this is a tough challenge to overcome."
The report identifies three particular areas of supply chain risk. Use of packages with vulnerable open source code, compromised pipeline tools, and the upload of bad code to source code repositories.
Open source code is part of almost all commercial software and many of the packages in use have existing vulnerabilities with the process of upgrading to a more secure version requiring effort from development and DevOps teams.
Attackers can take advantage of privileged access, misconfigurations, and vulnerabilities in the CI/CD pipeline infrastructure (such as: source code management system, build agent, package registries and service dependencies), which provide access to critical IT infrastructure, development processes, source code and applications.
The upload of bad code to source code repositories directly impacts the artifact quality and security posture. Common issues here include sensitive data in code, code quality and security issues, infrastructure as code issues, container image vulnerabilities and misconfigurations.
"The software supply chain process is a core component of the modern application development lifecycle. Leaving this wide attack vector open, threatens to severely lower companies' application security posture, potentially exposing sensitive data and creating additional entry points into the application in runtime," adds Orzel. "In many cases, there is no visibility for security teams into this process until it is too late, as most companies do not have preventative capabilities within the CI/CD tools and processes."
You can get a whitepaper on securing software supply chains from the Argon site.