Software supply chain is not a security risk - it’s an imminent security disaster

Written By Miiro Juuso

Many of the high-profile security incidents we’ve seen lately have a common attack vector: a compromise of the software supply chain. By a software supply chain, we refer to the 3rd party modules and dependencies used by most modern web applications.

The modules or dependencies themselves are innocuous and plentiful - instead of re-inventing the wheel to solve a certain programming problem, developers choose to use a pre-written piece of code (module) someone else has created and published. For example, any application built with a modern Javascript framework like React or Angular will include hundreds of 3rd party modules as dependencies.

Most of these modules are maintained by individual contributors in different parts of the world. A few years ago, one developer chose to ‘unpublish’ his modules, instantly breaking thousands of product build pipelines across the world.

So what’s the security risk - or rather disaster - here?

Let’s imagine a malicious actor steals the password of a contributor who maintains one of the hundreds of modules your product uses, and uses it to inject malicious code into the module.

The malicious code could be designed, for example, to alter the logic of the main program - your product - to silently collect credit card information of its users.

When your product is next deployed, the build pipeline will automatically fetch the compromised module, and embed it as part of the application, beginning the attack. After a period, a smart attacker could use the same channel to remove the malicious code - likely removing any evidence that any security breach occurred.

Here are the grim news:

While software supply chain attacks are already happening at scale, we predict that we’ve only seen the tip of the iceberg.

Organisations both big and small use freely available open source 3rd party modules with little to zero control or security oversight.

Once this attack vector is utilised more - and it will - we’ll get used to seeing major security breaches happen much more often.

You should consider how to mitigate the risk to you and your customers, and do it right now.

Miiro Juuso

Miiro Juuso is a DevOps practitioner and the founder and CEO of Releaseworks. Having spent over 20 years in various technology roles, Miiro is passionate about helping digital organisations deliver better software, faster.

https://release.works
Previous

Three most common security mistakes in the cloud
Next

Top 3 considerations when choosing a cloud provider