SolarWinds and Log4j have made security issues in the software supply chain a subject of great interest and attention for companies and governments alike.
SolarWinds was a terrifying example of what can go wrong with the integrity of software building systems: Russian intelligence agencies hijacked the software building system for SolarWinds software, surreptitiously added a backdoor to a piece of software, and piggybacked on the computer networks of thousands of customers. Log4J embodies the “garbage-in, garbage-out” problem of open source software: if you get code from the internet without warranty, there will be bugs and some of these bugs can be exploited.
What is less talked about, however, is that these attacks represent only a fraction of the various types of compromises in the software supply chain that are possible.
Let’s take a look at some of the lesser known, but no less serious, types of software supply chain attacks.
This attack class describes an unauthorized user who compromises a developer’s laptop or a source code management system (e.g. GitHub) and then pushes code.
A particularly famous example occurred when an attacker has compromised the server hosting the PHP programming language and malicious code inserted into the programming language itself. Although the code was discovered quickly, if it had not been corrected, it would have allowed widespread unauthorized access to large parts of the Internet.
The security vendor landscape sells a pipe dream that “scanners” and “software composition analysis” can detect all critical vulnerabilities at the software artifact level. They do not.
Fortunately, recently developed tools such as Sigstore and gitsign reduce the chance of this type of attack and the damage if such an attack does occur.
Compromised publishing server
Recently, an attacker, possibly the Chinese intelligence community, hacked into the servers that distribute Chinese messaging app MiMi, replacing the normal chat app with a malicious version. The malware allowed the attackers to remotely monitor and control the chat software.
This attack stems from the software industry’s failure to treat critical points in the software supply chain (such as publish servers or build systems) with the same care as production environments and network perimeters.
Open source package repository attacks
Of the Python package indexwhich houses Python packages, to npmthe world’s software is now literally dependent on vast amounts of software packages, the equivalent of the Apple App Store’s open source software programmer.