Package Supply Chain Attacks

The average open source (non-node) software repository uses 203 packages as dependencies. That’s a lot of places where an attacker might insert code that compromises a system, introduces a security flaw, or attacks other systems. It’s even worse in some platforms whose dependencies tend to be smaller and more numerous, such as node. It’s going to sound like we are bashing node in this episode, but we actually aren’t. The issue is that node made clean use of small, focused packages very popular and easy to do well enough to be useful. As a result, some of the problems that are coming for all of us have already hit the node ecosystem hard. Similar issues have come up in other languages, such as ruby, java, and python.

In effect, most of the code in your application was not written by you. This has almost always been true, all the way back to old school console apps in DOS, that still pulled in dependencies from libraries. However, in the modern, hyperconnected world, the number of available software packages, package repositories, and security concerns around both have completely exploded. There is a very serious risk that in the near future, some major security problem is going to bring down large numbers of applications, in much the same way as the ILOVEYOU virus did to email servers back in the day. The issue is one of trust and security. In fact, one might argue that it is the same issue that we’ve been grappling with in computing since the beginning. Who do I trust and how do I prove that it’s really them and that I can STILL trust them.

In the movie Jurassic Park, they use mosquito-extracted blood for dinosaurs in order to clone dinosaurs in a lab. However, there are parts of the DNA that are damaged and can’t be replicated effectively. So, what they do is the stick some amphibian DNA in the gaps. Essentially, they are behaving in the way that thousands of us do every day. In the movie, this resulted in dinosaurs that were supposed to be contained, being unable to breed due to an unexpected “feature” in the inserted DNA. And people got eaten. We also have to face the fact that while we like to think of ourselves as being the brilliant mathematician who saw it all coming, on average, most of us are more like the fat guy (Dennis Nedry) who didn’t realize how dangerous his situation really was and was just trying to collect a paycheck.

Supply chain attacks are a real and rising threat to software development groups everywhere. In addition to the motley cast of script kiddies, cryptocurrency miners, spammers, pranksters, and malware vendors, there is a growing problem with issues from state actors, terrorists, and international cartels. In addition to this, you almost certainly need to worry about insider threats, and breaches at trusted partners as well. We’re going to have to improve our game in this, or the results will be catastrophic. Supply chain attacks are a very serious problem and probably the greatest threat the industry will face in the next decade.

Tagged with: , , , , , ,