Software supply chain security is broader than SolarWinds and Log4J

Software supply chain security is broader than SolarWinds and Log4J

Dan Lorenc is CEO and co-founder of Chainguard. He was previously a staff software engineer and the lead for Google’s Open Source Security Team. He is the founder of projects such as Minikube and Skaffold, TektonCD, and Sigstore.

SolarWinds and Log4j have made software supply chain security issues a topic of intense interest and scrutiny for businesses and governments alike.

SolarWinds is a frightening example of what can go wrong when software build systems are insecure. Russian intelligence services took over the software build system for SolarWinds, adding a backdoor and riding on the computers of thousands of customers. Log4J is a perfect example of the garbage-in, garbage out problem in open source software. If you download no-warranties code via the internet, there will be bugs and some of these bugs can be exploited.

What’s less known is that these attacks only represent a fraction of the possible software supply chain compromises.

Let us take a look at some lesser-known but equally serious types of software supply chain attack.

Unauthorized commits

This class of attacks describes an unauthorized user compromising a development laptop or a source-code management system (e.g. GitHub) and then pushing code.

A particularly famous example occurred when an attacker compromised the server hosting the PHP programming language and inserted malicious code into the programming language itself. Although the code was discovered quickly, it could have allowed widespread unauthorized access to large swathes of the internet if not corrected.

The security vendor landscape sells the illusion that scanners and software composition analysis wares can detect all critical vulnerabilities at the software artifact layer. They don’t.

Fortunately, recently developed tools like Sigstore and gitsign reduce the probability of this type of attack and the damage if such an attack does occur.

Publishing server compromise

Recently an attacker, potentially the Chinese intelligence services, hacked the servers that distribute the Chinese messaging app MiMi, replacing the normal chat app with a malicious version. The malware enabled the attackers remote control and monitoring of the chat software.

This attack is a result of the fact that the software industry has failed treat critical points in its software supply chain (like publishing systems or build systems) with as much care as production environments or network perimeters.

Open source package repository attacks

From the Python Package Index, which houses Python packages, to npm, the world’s software now literally depends on vast stores of software packages, the open source software programmer’s equivalent of the Apple App Store.

Read More