Application Security Risk in 2019: It's All About The Supply Chain

December 28, 2018 By Matt Howard

5 minute read time

It’s that time of year again – time to reminisce on the past year and prepare our organizations to tackle the opportunities and challenges that lie ahead in 2019.

While the rapidly changing landscape of cyber risk management makes it impossible to predict with certainty where tomorrow's danger lies - we can - and should - examine the empirical facts staring us in the face and do our best to make an educated guess about how to defend against future risks.

2018 had a number of events we should take into consideration when evaluating potential risk - but, we don't need to look too far back to find what I believe will be the the most important issue of  2019. In the last 90 days, the world witnessed three different cyber events highlighting how vulnerable the technology supply chain truly is. This pattern suggests that organizations everywhere must resolve themselves to creating controls designed to protect their technology supply chains from attack in 2019. 

The culprits?  Supermicro, Event-Stream, and Cloudhopper.  Three separate attacks.  All of them different.  All of them terrifying.  And, all of them aimed at exploiting weaknesses within the global technology supply chain.

The Proof is in the Hack: Poisoned Rivers Flow Downstream 

In early October, Bloomberg published its now famous article “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.”  In it, reporters Jordan Robertson and Michael Riley, alleged that Chinese spies purposely polluted Supermicro's hardware supply chain and subsequently hacked more than 30 downstream companies including Apple and Amazon.  (NOTE:  Supermicro vehemently denies the allegations, but Bloomberg stands by the story).

Just a month ago, the world became aware of event-stream, a surprisingly simple software hack in which a cunning perpetrator hijacked ownership of the popular event-stream open source project, implanted crypto-mining malware in the javascript component, waited for the polluted component to surface downstream in the production CoPay wallet, then stole god only knows how much cryptocurrency.

Then, last week cloudhopper entered the spotlight.  What is cloudhopper?  You guessed it.  It's the latest cyber attack to leverage weaknesses in the technology supply chain so perpetrators can exploit downstream victims at scale.  This time however, the bad actors didn't target the "hardware" supply chain.  The didn't even target the "software" supply chain.  Instead, they targeted the "service" supply chain.  Specifically, they intentionally hacked HPE and IBM -- not for purposes of harming either of them -- but for purposes of exploiting their thousands of managed service clients downstream.

Where Do We Go From Here?

Hackers are lazy, but they aren't stupid, and they definitely understand scale.  Given the opportunity, they will always jump at the chance to target any vulnerable part of the modern technology supply chain. Bad actors know that by gaining access to the supply chain, they can kill many, many birds with just one stone.

Heading into 2019, the world should fully expect that cyber criminals will continue to look for weaknesses in any and every part of the technology supply chain -- hardware, service, and software.  But, with our eyes wide open, we should recognize the scary truth: the easiest point of entry into the technology supply chain is software channels -- and, in particular, open source ecosystems. Hackers already understand this. 

Want some proof?

In addition to the event-stream hack on the JavaScript supply chain disclosed last month -- there were numerous similar software supply chain attacks in the past year including, VestaCP and Colorama.  Furthermore, in 2017 the world watched NotPetya wreak havoc, a classic example of a software supply chain attack.  Also, in 2017, nearly 2.5 million people were forced to deal with CCleaner, also seeded in the software supply chain.

Indeed, over the past two years, the research team at Sonatype has identified 10 separate events pointing to a serious escalation of supply chain attacks aimed at open source ecosystems.  Adversaries injecting vulnerabilities directly into projects and intentionally poisoning the well that millions of developers drink from.  In many cases, these compromised components were unwittingly used by software developers to assemble applications.  Then, these compromised applications were made available for use by consumers and businesses alike. The risk is significant -- and, worse yet, it’s unbeknownst to everyone except the person that intentionally planted the compromised component inside of the open source software supply chain.

We're Not In Kansas Anymore.

In the past, open source software hacks like HeartbleedBouncy Castle, and Equifax occurred after a new vulnerability has been discovered and publicly disclosed. Effectively, “bad guys” would wait for new vulnerabilities to be announced -- and would then move quickly to exploit it in the wild before “good guys” could get around to patching it.

Today, the game is getting much, much faster.  It's like going from high school football straight to the NFL and skipping college all together. 

Organizations can no longer afford to ignore the reality that hackers are intentionally planting vulnerabilities directly into the global supply of open source components. As companies head into 2019, they would be wise to learn how to run fast enough to harness all of the good offered by open source software supply chains -- but without any of the risk.

Tags: AppSec, struts breach, open source risk management, Equifax breach, Supermicro, event-stream, eliminate open source security risk, notpetya, cloudhopper, News and Views, Opinion Post

Written by Matt Howard

Matt is a proven executive and entrepreneur with over 20 years experience developing high-growth software companies, at Sonatype, he leads corporate marketing, strategic partnering, and demand generation initiatives.