How to Avoid Software Supply Chain Vulnerabilities

By FOSSlife Team, 26 October, 2022

Software supply chain attacks have increased by “an astonishing 742 percent” in the past three years, according to the 8th Annual State of the Software Supply Chain Report from Sonatype.

The report, which looks at the state of open source software consumption along with persistent security concerns, notes that:

Across the four ecosystems measured (namely, Java, JavaScript, Python, and .NET), the overall download volume is projected to top 3 trillion downloads.
1.2 billion vulnerable dependencies are downloaded each month.
Ninety-six percent of known-vulnerable open source downloads are avoidable.

In this article, we’ll look at various findings from the report including specific tactics used by attackers and ways to minimize exposure to vulnerabilities.

Malicious Tactics

To improve security, the report says, “it’s important to focus on the different types of strategies being disseminated by these bad actors in the software supply chain.”

In 2022, the research team observed several recurring malicious tactics, including:

Dependency confusion, which involves spoofing internal package names and publishing them to an open source registry with an abnormally high version number
Typosquatting, which involves picking a popular component, misspelling the name slightly, and relying on the assumption that some developers will make a mistake in adding a component
Malicious source code injections, which pose a real risk to developers of popular libraries, but are less numerous than the mass attack types
Protestware, which is when a maintainer deliberately sabotages their own project to cause harm or to malfunction in an attempt to disrupt adopters’ work

Dependency Hell

The networked nature of dependencies means they play a key role in supply chain security. Per the report:

The number of open source dependencies being downloaded and integrated into software grew by an estimated 33 percent across the monitored ecosystems in 2022.
About six out of every seven vulnerabilities affecting projects come from transitive dependencies.

Consider the Java ecosystem as an example. According to the report, “the average Java application contains 148 dependencies, compared to 128 last year,” and the average Java project releases updates 10 times a year. So, the report says, the task of managing dependencies means that developers must also:

Track an average of 1,500 dependency changes per year per application
Possess sufficient security and legal expertise to choose the safest versions
Maintain a working knowledge of software quality
Understand the nuances of ecosystems being used
Sift through thousands of projects to pick the best ones

Decisions, Decisions

After developers have decided which projects to build upon, they must continue to make decisions relating to version management. “These decisions are relative to the version of a dependency that developers choose to adopt and can vary widely between major and minor versions of the same library,” the report states.

In terms of making these decisions, the report offers eight general rules to consider:

Don't choose an alpha, beta, milestone, release candidate, etc., version.
Don't upgrade to a known-vulnerable version.
Upgrade to a lower risk severity if your current version is vulnerable.
When a component is published twice in close succession, choose the later version.
Choose a migration path (from version to version) others have chosen.
Choose a version that minimizes breaking code changes.
Choose a version that the majority of the population is using.
If all else is equal, choose the newest version.

Improving software supply chain security is an increasingly important issue for the open source community, and the insights from this report can help raise awareness of specific threats and how to avoid them.