Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

// // //
10:00 AM
Tsvi Korren
Tsvi Korren
Connect Directly
E-Mail vvv

Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever

Cloud-native deployments tend to be small, interchangeable, and easier to protect, but their software supply chains require closer attention.

Developers write code. That is how most people understand the job of a software developer. Reality, however, is more complex. While developers do write a lot of code, they almost never write all the code in the application. Where does the extra code come from? The Internet, of course.

Modern programming languages use building blocks in the form of packages to handle things like mathematics, text manipulation, and networking. This makes a lot of sense. There is no need for each programmer to write their own algorithms for basic operations. Many programming languages also support (and often encourage) modular programming, making plug-ins available to handle more complex, well-defined tasks. Over time, significant libraries of packages and modules emerged, written by the community, and shared freely on platforms like GitHub.

Related Content:

SolarWinds Attack, Cyber Supply Chain Among Priorities for Biden Administration

Special Report: Special Report: Understanding Your Cyber Attackers

New From The Edge: What I Wish I Knew at the Start of My InfoSec Career

The primary reason that organizations leverage open source software is to speed up development. Building an application entirely from scratch is extremely rare, and so an estimated 99% of codebases contain open source components, and up to 70% of enterprise code is now based on open source. Developers are busy merging ready-made parts with custom code to achieve the desired result without reinventing the wheel. DevOps is similarly an assembly process of container base images, open source middleware, virtual machine templates, and cloud services such as storage, networking, and Kubernetes.

When all of that is accounted for, only a fraction of an organization's computing power will be running internally developed code. The rest will come from external sources. For security organizations, this introduces a universe of risks.

A June 2020 report on vulnerabilities in leading open source software reveals that their total number more than doubled between 2018 and 2019, from 421 common vulnerabilities and exposures (CVEs) to 968. Data collected by GitHub in October 2020 suggests that 17% of software bugs there were inserted intentionally by malicious actors. Together, these reports show that intentional pollution of open source projects, or "repo poisoning," is becoming a greater threat.

It takes an average of 54 days for a discovered vulnerability to be added to the National Vulnerability Database (NVD), making the infamous zero-day attack almost two months long. Even after vulnerabilities are reported, little time is spent fixing them. Developers surveyed by the Linux Foundation reported on average that only 2.27% of their time is spent on security bugs, leaving organizations with knowledge of the risk but no direct way to resolve it. 

Vulnerabilities, however, represent potential risk that can only be exploited when the vulnerable component is in use, unpatched, without compensating controls. To increase their chances of success, attackers have turned to poisoning open source projects with outright malware, intended to be incorporated into the software supply chain and executed alongside the application code. 

Popular package repositories like npm, PyPI, and RubyGems have become, for threat actors, a reliable and scalable malware distribution channel. During the past year, the number of supply chain attacks has surged by 430%. With DevOps, the reliance on external software is inviting more attacks targeting the supply chains specific to cloud native environments, like placing hidden malware in publicly available container images. Aqua Security's research team, Nautilus, recently revealed that several SaaS services used by container developers are susceptible to cryptocurrency mining. While the risks are real, organizations will not stop using open source software. The efficiency benefits are too great to simply go back and write software from scratch. Open source is here to stay.

Organizations intending on reducing these risks should start with gaining visibility and control over externally sourced software. Vulnerability scanners can help to manage the risks of security bugs in open source components. These tools must include automation, prioritization, actionable advice, and metrics to measure how vulnerabilities are remediated over time. Automation is important because relying on manual assessment and remediation processes takes too long and many developers lack the knowledge to prioritize the risks and address them.

Packages, ready-made modules, and even entire container images can also be the product of attackers trying to gain entry and sneak malicious code into applications. These tainted artifacts will not be in the NVD, will not be assigned a CVE, and will not be detected as published vulnerabilities. One example of a worst-case scenario is a misconfigured container image, with a default user of root, built on a base image containing a backdoor, and deployed in a cloud environment with open networking. 

To prevent such scenarios, organizations must consider their entire supply chain: how software enters the organization, from where, and by whom. There should be clear guidelines on the quality and reputation of open source software, preferring projects with recent commits, engaged contributors, and good governance.

Incoming software should not only be scanned for vulnerabilities but analyzed while running in a sandbox environment before being used. This will reveal malicious code that was inserted intentionally and will only be visible on execution. In addition, the inventory, version, and configuration of services in a cloud environment should be looked at as part of the supply chain, including the scripts used by DevOps to provision them.

Many information security practices were established at a time when development and operations were relatively trusted, but long-running servers were difficult to protect. Today, the state of security is reversed. Cloud native deployments, being small, immutable, and interchangeable, are easier to protect. But the supply chains that feed them require more attention than ever.

Tsvi Korren, CISSP, has been an IT security professional for more than 20 years. Tsvi is currently the Field CTO at Aqua, where he leads the effort of enabling organizations to use Cloud Native technologies and improve their security through DevSecOps. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file