Categories: Tech NewsTechCrunch+

Software supply chain security is broader than SolarWinds and Log4J

SolarWinds and Log4j have made software supply chain security issues a topic of intense interest and scrutiny for businesses and governments alike.

SolarWinds was a terrifying example of what can go wrong with the integrity of software build systems: Russian intelligence services hijacked the software build system for SolarWinds software, surreptitiously adding a backdoor to a piece of software and hitching a ride into the computer networks of thousands of customers. Log4J epitomizes the garbage-in, garbage-out problem of open source software: If you’re grabbing no-warranties code from the internet, there are going to be bugs, and some of these bugs will be exploitable.

What’s less talked about, though, is that these attacks represent only a fraction of the different types of software supply chain compromises that are possible.

Let’s take a look at some of the lesser-known, but no less serious, types of software supply chain attacks.

Unauthorized commits

This class of attacks describes an unauthorized user compromising a developer laptop or a source code management system (e.g., GitHub) and then pushing code.

A particularly famous example occurred when an attacker compromised the server hosting the PHP programming language and inserted malicious code into the programming language itself. Although discovered quickly, the code, if not corrected, would have enabled widespread unauthorized access across large swaths of the internet.

The security vendor landscape is selling a pipedream that “scanners” and “software composition analysis” wares can detect all of the critical vulnerabilities at the software artifact level. They don’t.

Fortunately, recently developed tools like Sigstore and gitsign reduce the probability of this type of attack and the damage if such an attack does occur.

Publishing server compromise

Recently an attacker, potentially the Chinese intelligence services, hacked the servers that distribute the Chinese messaging app MiMi, replacing the normal chat app with a malicious version. The malware allowed the attackers to monitor and control the chat software remotely.

This attack stems from the fact that the software industry has failed to treat critical points in the software supply chain (like publishing servers or build systems) with the same care as production environments and network perimeters.

Open source package repository attacks

From the Python Package Index, which houses Python packages, to npm, the world’s software now literally depends on vast stores of software packages, the open source software programmer’s equivalent of the Apple App Store.

Software supply chain security is broader than SolarWinds and Log4J by Ram Iyer originally published on TechCrunch

Recent Posts

Unlocking the Secrets of JSON.stringify(): More Than Meets the Eye

JSON (JavaScript Object Notation) is a lightweight data-interchange format widely used in web development. At…

3 months ago

How to Handle AJAX GET/POST Requests in WordPress

AJAX (Asynchronous JavaScript and XML) is a powerful technique used in modern web development that…

4 months ago

Page Speed Optimization: Post-Optimization Dos and Don’ts

Introduction After successfully optimizing your website for speed, it's essential to maintain and build upon…

4 months ago

Ultimate Guide to Securing WordPress Folders: Protect Your Site from Unauthorized Access

Securing your WordPress folders is crucial to safeguarding your website from unauthorized access and potential…

5 months ago

HTML CSS PHP File Upload With Circle Progress Bar

Creating a file upload feature with a circular progress bar involves multiple steps. You'll need…

6 months ago

Using WP Rocket with AWS CloudFront CDN

Integrating WP Rocket with AWS CloudFront CDN helps to optimize and deliver your website content…

6 months ago