Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/30/2021
10:00 AM
Pedro Fortuna
Pedro Fortuna
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Ticking Time Bomb in Every Company's Code

Developers must weigh the benefits and risks of using third-party code in Web apps.

Working in application security sometimes feels like walking a fine line between "business as usual" and "doomsday is coming." This balance becomes increasingly harder at times like these, when digital acceleration is happening in every sector, outpacing the security controls put in place. 

Much of the disruption that kindled this acceleration happened in the Web development and security space. Twenty years ago, the "typical" website was a static page for informational purposes. Today, it's a dynamic Web app that handles extremely sensitive data and performs critical operations. 

Related Content:

SolarWinds: A Catalyst for Change & a Cry for Collaboration

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: Tell Us the Truth: Why Do You LOVE Passwords?

Sensitive data continuously passing through almost every website gives attackers a golden opportunity to steal and sell this private information. Unfortunately, such attacks have become wildly successful — and the growth of exposed records keeps climbing. Recent data indicates that the number of exposed records in first quarter of 2020 was 273% higher than in the same quarter of 2019. 

By now, those working in application security know that traditional security systems (server-side and network security such as Web application firewalls) can't prevent data-exfiltration attacks targeting websites. Attackers are taking advantage of a blind spot in client-side security, injecting malicious code into companies' websites without ever having to breach their first-party servers. And this brings us to the "ticking time bomb": the Web supply chain. 

Benefits and Risks in Code Dependencies
The typical JavaScript development process often relies on open-source components that speed development. This means companies end up using hundreds of pieces of externally sourced code (also known as modules or code dependencies) on their websites. This scenario provides little to no feasible control for companies, and most end up trusting that the modules they use are reliable and secure. Not only that, but these modules may also rely on third-party code, which creates an even more complex chain of code dependencies. 

The more dependencies used, the bigger the attack surface and the greater the likelihood that an attacker could gain control of one of the dependencies and inject malicious code into the Web page. 

If this concept of Web supply chain attacks seems to resemble the SolarWinds incident, that's because SolarWinds is a perfect example of how a supply chain attack can reach incredible proportions. So, it only makes sense to wonder whether the Web supply chain will be next

Recently attackers planted a remote code execution backdoor in the official PHP Git repository. The malicious code was caught in a post-commit code review, so it never made its way into an official package release. However, it highlights another security weakness in the Web supply chain — if the malicious code were better hidden, could it have made its way into publicly available package releases? This has happened before, for instance in the Copay incident, where the malicious code affected several versions of the product (a cryptocurrency wallet) and stole users' data. 

We saw another glimpse of how bad things can go when security researcher Alex Birsan successfully breached 35 tech firms, including Microsoft, Apple, and PayPal, by taking advantage of a design flaw known as dependency confusion. While this was all done for ethical security research purposes, attackers quickly replicated this strategy to try to catch other companies off guard. 

These examples are just the very tip of the iceberg. The Web supply chain runs very deep and wide, with the average Web app containing over 1,000 pieces of externally sourced code. And with recent research showing that installing just one of these packages means implicitly trusting 79 third-party packages and 39 maintainers (on average), we can only guess at the size of a modern Web app's attack surface.

Disarm Potential Danger
So, with so many moving pieces and growing consensus that the Web supply chain is a disaster waiting to happen, what can be done?

The answer seems to be adopting a defense-in-depth approach, going beyond server-side and network security controls and implementing better vendor management along with a layered client-side defense. Implementing new protocols for vetting and managing third-party vendors is increasingly important, although it can be difficult to vet hundreds of third-party packages. Plus, vetting gives a picture at a given moment in time and doesn't identify legit scripts that suddenly become infected. As such, it's important to add a layer of security that can detect and control suspicious code behaviors on the client side at runtime. Gaining control at this level can make the difference between taking months to detect a data breach that originated from within the Web supply chain or detecting and mitigating it in real time. 

These are some of the steps organizations can take to reduce their overall exposure to the Web supply chain and avoid being caught if this bomb goes off. Let's just hope that, unlike in action movies, they don't wait until the very last second to disarm it.

Pedro Fortuna is the CTO and Co-Founder of Jscrambler. With extensive experience in academia and as a security researcher, Pedro has co-authored several application security patents. He is an active member of the AppSec community, contributing to OWASP and regularly speaking ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...