You are here
Home > Be Aware > Surge in cyber attacks targeting open source software projects

Surge in cyber attacks targeting open source software projects

TTL;DR don’t place any trust in anyone else securing the open source components of your software stack. This is your opportunity to contribute back to the OSS community by actively looking for and fixing vulnerabilities…:

[…] According to the report, 929 next generation software supply chain attacks were recorded from July 2019 through May 2020. By comparison 216 such attacks were recorded in the four years between February 2015 and June 2019.

The difference between “next generation” and “legacy” software supply chain attacks is simple but important: next generation attacks like ​Octopus Scanner​ and ​electron-native-notify​ are strategic and involve bad actors intentionally targeting and surreptitiously compromising “upstream” open source projects so they can subsequently exploit vulnerabilities when they inevitably flow “downstream” into the wild.

Conversely, legacy software supply chain attacks like ​Equifax​ are tactical and involve bad actors waiting for new zero day vulnerabilities to be publicly disclosed and then racing to take advantage in the wild before others can remediate.

“Following the notorious Equifax breach of 2017, enterprises significantly ramped investments to prevent similar attacks on open source software supply chains,” said Wayne Jackson, CEO at Sonatype.

“Our research shows that commercial engineering teams are getting faster in their ability to respond to new zero day vulnerabilities. Therefore, it should come as no surprise that next generation supply chain attacks have increased 430% as adversaries are shifting their activities ‘upstream’ where they can infect a single open source component that has the potential to be distributed ‘downstream” where it can be strategically and covertly exploited.”

[…]

Original article here

Peter Glock
Over 30 years of designing, building and managing telecoms and IT services. Primarily working with large enterprise and professional services businesses in Asia, North America, continental Europe and the UK. Information security professional, secret physics nerd.
https://brownglock.com

Similar Articles

Leave a Reply

Top
%d bloggers like this: