The Solarwinds attack of 2020 thrust software supply chain attack techniques once again into the limelight. Threat actors quickly pivoted to leveraging Open Source Software to perpetuate numerous software supply chain compromises. While not a novel means of compromise, software supply chain attacks have gained momentum in the last few years. ReversingLabs has put together “A (Partial) History of Software Supply Chain Attacks”.
Open-source software forms the backbone of almost all software industry sectors. While the benefits of open source software are numerous, care must be taken to protect oneself from OSS supply chain threats. These threats could manifest from:
-
Use of unpatched software
-
Dependency confusion attacks, or
-
Typo-squatting attacks
If you rely on open-source software, there are a few steps you can take to protect against supply chain threats:
-
Thoroughly inspect the dependencies in the software
-
Ensure that the maintainer of the open-source software is patching all the dependencies
Lastly, if you are a student of cybersecurity, there is no better way to hone your software security skills than contributing security fixes to open-source software.