Software Supply Chain Security Attacks Up 200%: New Sonatype Research

We Keep you Connected

Software Supply Chain Security Attacks Up 200%: New Sonatype Research

Software Supply Chain Security Attacks Up 200%: New Sonatype Research
Your email has been sent
Sonatype’s 9th annual State of the Software Supply Chain also covers regulations and how AI could help developers protect organizations from security risks.
Attacks on software supply chains increased dramatically in 2023, with an increase of 200% compared to 2022, according to Sonatype’s new report. Also, vulnerabilities are still present in downloaded dependencies, which is a reason why more regulations and processes in software development are needed.
This research from Sonatype, a U.S.-based company specializing in software supply chain management and security, also covers developers’ challenges and the possible benefits to using AI security solutions.
Jump to:
According to Sonatype’s report, 2022 saw a massive increase of malicious attacks on the open source software supply chain, which has kept growing in 2023. The year-over-year monitoring shows 245,032 malicious packages as of September 2023, which is three times the number of malicious packages seen in 2022 or two times all previous years combined (Figure A). Sonatype’s research is in line with the European Union Agency for Cybersecurity’s reporting in late 2022 that the compromise of software supply chains through software dependencies is the number one emerging threat.
Figure A
Because of this huge increase in attacks, many open-source systems have implemented new security policies and improvements, such as mandatory multifactor authentication for developers; however, oftentimes, malicious packages are handled the same as packages with vulnerabilities, meaning they’re taken down the same way as vulnerabilities, which is inappropriate for malicious content, as the packages might stay online longer for that reason.
Of the survey respondents, this is how long it takes to mitigate a vulnerability in their organization from the moment it is detected (Figure B):
Figure B
Regarding repository downloads, nearly 96% of components downloads with known vulnerabilities could be avoided, as fixes were already available at the time of download. This shows that organizations must pay closer attention to the versions of software they install. As a bad example, vulnerable versions of Log4j still account for nearly a quarter of all new downloads of that software.
From the average 37.8 billion monthly downloads from the Maven Central repository, 3.97 billion vulnerable components were consumed.
“Our industry needs to direct its efforts towards the right place. The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers to become better decision-makers, and giving them access to the right tools,” said Brian Fox, chief technical officer at Sonatype, in an interview with TechRepublic.
It’s also interesting to note that the whole open source ecosystem has grown. The top four major open source ecosystems — Java (Maven), JavaScript (rpm), Python (PyPI) and .NET (NuGet Gallery) — all show a YoY percentage between 27% and 28% for project growth, with 367,000 up to 2.5M projects per ecosystem (Figure C).
Figure C
This growth shows an increase in software productivity after a slowdown between 2020 and 2022, probably due to the COVID-19 pandemic. Another explanation, according to Sonatype, could be that ” … a lot of these projects are in fact coming from commercial activity and not people with spare time, which was in abundance during the pandemic.”
The best method for identifying vulnerabilities in software is code review (Figure D), where code changes are peer-reviewed before being put online.
Figure D
Second comes the binary checks: When a package contains a binary, it needs to be properly checked for vulnerabilities. Project dependencies also need to be pinned to specific versions.
Branch protection is necessary on the “default” and “release” branches to prevent maintainers from circumventing workflows such as continuous integration tests or code review when updating.
In addition, it’s important to use projects that are well-maintained, because they show lower rates of vulnerabilities. As stated by Sonatype, ” … enterprises looking to minimize their open source vulnerability risk should choose well-maintained projects that perform code review and monitor them to ensure they have not reached end-of-life.”
SEE: Checklist: Network and systems security (TechRepublic Premium)
Software supply chain security is complex and is impacted by various factors. For instance, in addition to developers’ programming challenges, they face responsibilities in their work, such as making informed choices regarding open-source components for their software projects. The dependency management has been known as “dependency hell” in developers’ communities and is very difficult to deal with.
As an example, the average Java application needs 148 dependencies, with around 10 annual releases. For developing that application, the developer needs to carefully select and manage those 148 dependencies, yet should also track an average of 1,500 dependency changes per year. That tracking needs security and legal expertise that not all developers have in order to choose the safest versions.
Adding pressure on the developers to be efficient and fast can lead to them feeling overwhelmed, resulting in weaker choices.
Those dependency choices are also altered by software popularity, which tends to bring a false feeling of safety, as popular code isn’t necessarily secure code. Inactive releases, which represent 85% of projects in repositories, overwhelm developers with available options.
To help resolve this problem, Sonatype has developed a scoring system based on five key dimensions: security, license, age, popularity and release stability (Figure E).
Figure E
A careful analysis of those components facilitates decisions in software supply chain management. It’s also recommended to use repository management software that can be customized to organizations’ needs and helps developers to stop wasting time in handling too many updates.
While we’re still in the early stages of regulations for software supply chains, it seems important enough to see guidance and regulation emerge in many countries. The regulatory actions from key countries such as the U.S., Europe, U.K., Australia, Canada, Japan and New Zealand show a shared motivation to improve digital defenses and protect organizations’ infrastructures.
Software manufacturers are likely to face more responsibilities and liabilities when their software doesn’t inherently integrate a security feature, while robust processes to address cybersecurity incidents need to be deployed in all organizations.
More international collaboration will be necessary to increase security in software development. As stated by Sonatype in its report, regulations ” … as well as future related initiatives will play a pivotal role in shaping the future of cybersecurity policies and practices at scale worldwide.”
Artificial intelligence and machine learning are technologies with the power to reshape software development.
AI has been broadly adopted according to the survey, with 97% currently incorporating generative AI in their workflow to some degree. And, 47% of DevOps and 57% of SecOps respondents reported the use of AI saved them more than six hours a week.
From a security point of view, AI-driven solutions can identify vulnerabilities or bugs in software code faster and more efficiently than traditional methods. There are benefits for developers of all levels.
Senior developers can leverage AI tools to complete tedious tasks and develop parts of their code, while junior developers benefit from having AI tools answer their questions efficiently while providing insight into technical terms and jargon. Both junior and senior developers can use queries to develop basic code fast while allowing them to focus on more complex issues in their projects. AI tools might even be used as valuable debugging tools in addition to producing code.
AI tools, particularly large language models, need careful monitoring and shouldn’t operate in an automated way. LLMs might experience false information or hallucinations, which should be detected and cared for.
LLM-as-a-service accelerates development and improves performances, yet might be costly (enterprises pay for each token sent and received) when heavily used. Moreover, the organizations subscribing to it are ” … vulnerable to vendor outages, deprecated features, or unforeseen changes in model performance that may not align with the specific task at hand” as stated by Sonatype.
When used in organizations, open-source LLMs must be carefully deployed. The models used must be carefully chosen (there are more than 300,000 models available) according to the application and tuned to the computational requirements and performance of the structure. A licensing risk exists; a model that’s released under a license that restricts commercial use or requests specific conditions might lead to a terms violation if not examined carefully.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Software Supply Chain Security Attacks Up 200%: New Sonatype Research
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Planning and successfully implementing changes to company software, services, processes and hardware can be quite onerous. Critical operations can be adversely affected by changes which are not properly planned out, reviewed or approved. This can result in lost revenue or damage to the organization’s reputation if external clients are affected, and careers might be at …
Most organizations have applications, processes and data that must be kept secure by authorized personnel. Determining the eligibility of individuals to access or administer these components can be a challenge. Whether you need to establish full access permissions to folders for the purpose of backups or you’re responsible for handling data that could adversely affect …
The European Union’s General Data Protection Regulation requires every organization that collects sensitive personal data from those residing in the EU to ask for clear and specific consent before collecting that data. The three sample texts from TechRepublic Premium will provide a customizable framework for your organization to use and stay compliant. From the download: …
Today, many businesses rely on outside companies, known as third-party organizations, to handle their data or services. Some examples might include vendors, marketing firms, recruiting organizations and other external entities. The purpose of this policy from TechRepublic Premium is to provide guidelines for establishing qualified third-party vendors with which to do business and what requirements …

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE