We all knew there was an increase in software supply chain attacks in 2021, but a new study has quantified just how bad things got.
Argon Security – recently acquired by Aqua Security – published the latest edition of its annual Software Supply Chain Security Review this week.
The headline stat from Argon’s report that software supply chain attacks grew by more than 300 percent in 2021 compared to 2020.
Eran Orzel, Senior Director of Argon Customer Success and Sales, said:
“The number of attacks over the past year and the widespread impact of a single attack highlights the massive challenge that application security teams are facing.
Unfortunately, most teams lack the resources, budget, and knowledge to deal with supply chain attacks. Add to that the fact that to address this attack vector AppSec teams need cooperation from development and DevOps teams, and you can understand why this is a tough challenge to overcome.”
Delving further into the results gives us some idea of how attackers have been compromising software supply chains.
The researchers found that attackers focus most on open-source vulnerabilities and poisoning, code integrity problems, and exploiting the software supply chain process and supplier trust to distribute malware or backdoors.
Damningly, every organisation evaluated by Argon was found to have vulnerabilities and misconfigurations exposing them to supply chain attacks.
Argon identified three key attack vectors that need addressing to improve software supply chain security:
- Use of vulnerable packages: Open-source is critical to modern development and is part of almost all commercial software. However, many packages have vulnerabilities that – even when a fix is available – requires development teams to implement them. Deliberate “poisoning” of packages is also on the rise.
- Compromised pipeline tools: Along the same lines as the use of vulnerable open packages is using compromised pipeline tools. Attackers can take advantage of privileged access, misconfigurations, and vulnerabilities in the CI/CD pipeline infrastructure, to inject malicious code during the build process (as we saw with the SolarWinds attack that made national headlines.)
- Code/Artifact integrity: Finally, the upload of bad code to source code repos continues to pose a threat. Common issues Argon discovered in “most customer environments” were sensitive data in code (secrets), code quality and security issues, infrastructure as code issues, container image vulnerabilities, and misconfigurations.
“The software supply chain process is a core component of the modern application development lifecycle. Leaving this wide attack vector open, threatens to severely lower companies’ application security posture, potentially exposing sensitive data and creating additional entry points into the application in runtime,” added Orzel.
“In many cases, there is no visibility for security teams into this process until it is too late, as most companies do not have preventative capabilities within the CI/CD tools and processes.”
(Photo by Jungwoo Hong on Unsplash)
Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place on 11-12 May 2022 and discover key strategies for making your digital efforts a success.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.