Software supply chain security is broader than SolarWinds and Log4J
SolarWinds and Log4j have made software supply chain security issues a topic of intense interest and scrutiny for businesses and governments alike.
SolarWinds was a terrifying example of what can go wrong with the integrity of software build systems: Russian intelligence services hijacked the software build system for SolarWinds software, surreptitiously adding a backdoor to a piece of software and hitching a ride into the computer networks of thousands of customers. Log4J epitomizes the garbage-in, garbage-out problem of open source software: If you’re grabbing no-warranties code from the internet, there are going to be bugs, and some of these bugs will be exploitable.
What’s less talked about, though, is that these attacks represent only a fraction of the different types of software supply chain compromises that are possible.
Let’s take a look at some of the lesser-known, but no less serious, types of software supply chain attacks.
Unauthorized commits
This class of attacks describes an unauthorized user compromising a developer laptop or a source code management system (e.g., GitHub) and then pushing code.
A particularly famous example occurred when an attacker compromised the server hosting the PHP programming language and inserted malicious code into the programming language itself. Although discovered quickly, the code, if not corrected, would have enabled widespread unauthorized access across large swaths of the internet.
The security vendor landscape is selling a pipedream that “scanners” and “software composition analysis” wares can detect all of the critical vulnerabilities at the software artifact level. They don’t.
Fortunately, recently developed tools like Sigstore and gitsign reduce the probability of this type of attack and the damage if such an attack does occur.
Publishing server compromise
Recently an attacker, potentially the Chinese intelligence services, hacked the servers that distribute the Chinese messaging app MiMi, replacing the normal chat app with a malicious version. The malware allowed the attackers to monitor and control the chat software remotely.
This attack stems from the fact that the software industry has failed to treat critical points in the software supply chain (like publishing servers or build systems) with the same care as production environments and network perimeters.
Open source package repository attacks
From the Python Package Index, which houses Python packages, to npm, the world’s software now literally depends on vast stores of software packages, the open source software programmer’s equivalent of the Apple App Store.