Three questions and answers: why there are so many open source attacks now

0
27
1664690450 three questions and answers why there are so many open.png
1664690450 three questions and answers why there are so many open.png

Attackers are increasingly relying on open source gaps because we are dependent on free software – but despite the great danger, you can protect yourself well.

A growing number of attacks on companies abuse the open source dependencies of most enterprise software. Log4Shell has alarmed many, but unfortunately this is just one example: Such attacks are now eight times more common than three years ago. We talk to Henrik Plate from SAP about how such attacks work and how to protect yourself effectively against them.

Henrik Plate is a senior researcher at SAP, head of the research topic “Open Source Security” at SAP Security Research and project manager of Eclipse Steady, an open source vulnerability scanner.

Why do developers of modern software no longer really have an overview of open source dependencies?

In my opinion, this is partly due to the sheer number of dependencies, for example modern Java applications have an average of 97 direct and transitive dependencies. In addition, practices such as code rebundling and copy-and-paste programming make it difficult to understand what code is present and running in an application. For example, if an older and Log4Shell-vulnerable rebundled version of Log4j is found in the classpath of a Java application before an official version of Log4j, the version with the known vulnerability will be used, which is not immediately obvious to the developer and operator of an application. easy for attackers to exploit.

However, it should also be noted that developers and development companies have become much more aware of the problem in recent years. And there are numerous initiatives, commercial and non-commercial, working on pragmatic solutions. In my opinion, as an industry, we are on the right track – and the requirements currently being pushed by the USA regarding Software Bills of Materials (SBOM) will push the topic even further.

To what extent are supply chain gaps more dangerous than classic malware that follows every Office gap, for example?

In some cases, classic malware and the supply chain attacks discussed in the article are similar. Often these are just different gateways to ultimately load comparable malware, such as Cryptominer, onto the affected computer and run it there. A large part of the malware discovered in package repositories such as npm or PyPI in recent years had exactly this goal.

However, there is also a class of supply chain attacks that don’t directly target a developer’s computing resources, but instead inject backdoors and hidden functionality into applications. This type of malware can potentially go undetected for a long period of time and be exploited by attackers, similar to 0-day vulnerabilities. The latter was the case with SolarWinds, whose manipulated software update was installed by several thousand customers, giving attackers access to customer systems.

Isn’t there a simple way out of the dilemma of developing applications completely in-house again?

A complete in-house development is neither economically nor technically realistic. The supply chain also includes, for example, compilers, the operating system and development environments. If you want to program a web shop, for example, you certainly don’t want to first write a bootloader in assembler. However, it is also true that some open source components can be easily replaced by in-house developments and thus reduce the attack surface, for example in the case of so-called micro-packages, some of which only contain a few lines of code.

On the one hand, there are very good reasons for reuse in general and open source in particular. On the other hand, the success story of open source and the associated ubiquity makes supply chain attacks particularly attractive.

It is important for every software developer to keep an eye on his supply chain, especially to check its elements for known gaps. And where possible, open source projects should be actively supported, for example with code contributions or security reviews.

Mr. Plate, thank you very much for the interview! A detailed article on SBOM tools and attacks on the software supply chain can be found in the current October iX.

In the “Three Questions and Answers” series, iX wants to get to the heart of today’s IT challenges – whether it’s the user’s point of view in front of the PC, the manager’s point of view or the everyday life of an administrator. Do you have suggestions from your daily practice or that of your users? Whose tips on which topic would you like to read in a nutshell? Then please write to us or leave a comment in the forum.

SEE ALSO  WhatsApp shows how exchanging messages with other apps will work and no, it is not as we expected