What is a Supply Chain?
Software supply chains are comparable to a supply chain in the real world. Very few companies, whether food or automobile manufacturers, produce all the components required for the end product by themselves – hence it is the same with software supply chains. In addition, hardly any software does not contain open source code. According to the “Open Source Security and Risk Analysis 2023” by Synopsis, 96% of the 1703 different software products analyzed contain open source software and according to the “ Octoverse Report 2022” from Github, 90% of all companies use open source software.
The list of open source software is long and covers pretty much every aspect. Programming languages such as Python, Java or JavaScript and associated frameworks such as Django, Spring or Angular are widely used for software development. Linux operating systems are widespread. Container technologies, Kubernetes as well as Kubernetes-native applications are common for software development.
Risks and dangers
Risks and dangers can occur at any step of software development, whether it occurs at the beginning or end of the supply chain or in between. Attacks do not target the entire supply chain, but rather focus on some steps within the chain. Attack vectors can be categorized:
- The first area is the source code itself. This includes the version management system, for example GitHub or GitLab. These attacks are usually carried out by people within an organization. This involves making unauthorized changes to the source code or administrative changes to the management system or its infrastructure. The consequences of this are that the software build uses modified source code during the build process. This is what happened during the SushiSwaps attack. SushiSwap is an open source, decentralized cryptocurrency platform. A user published an unauthorized Git commit with the aim of introducing malicious code into the system. This resulted in the theft of $3 million.
- The second area targets software dependencies that are used during the build. If during the build, incorrect or changed source files are included in the build process built artifacts are therefore compromised. An example of this was the EventStream backdoor. In 2018, the malicious package “flatmap” stream was released and subsequently used as a dependency in the “Node.js Package event” stream. In the end, there were over 8 million downloads of the infected package.
- The third area includes all kind of attacks where an attacker manages to change packages without making any changes to the source code or dependencies. This affects the build system and process as well as the package repository. An example of that kind of attack on the build system was the attack on the monitoring software “Orion” from SolarWinds. In this attack, the attackers were able to introduce a backdoor into the software build cycle. The backdoor used by the attackers was rolled out to over 30,000 customers via an update from SolarWinds.
Another attack that does not relate to the a source code repository itself, but can be categorized in this area and can occur throughout the entire software development, is so-called “typosquotting”. This attack is particularly easy to carry out and targets a developer’s carelessness. This attack involves uploading software packages to a package manager with names very similar to existing software packages. Due to the similarity of the names, there may be a risk of confusion between the two packages and so the actual package is not downloaded – instead the wrong one is chosen.