In modern software development, developers move quickly by reusing existing third-party libraries and open source dependencies. This “supply chain” of components enables speed, but it has also become an attack vector for hackers. Securing the software supply chain is vital to keep an organization’s SLDC protected. Let’s look at two aspects of securing your organization’s software supply chain, inside and out.
A recent report by Aqua Security found that many organizations had inadequate controls around the secrets in their SDLC. Numerous container registries and artifact repositories are unintentionally left open to the public.
In some cases, repositories were intentionally public, but contain secrets not meant for public disclosure. In many cases, these secrets were credentials, API addresses or certificates that could enable further attacks deeper into the organization.
Many Sonatype customers leverage the benefits of Sonatype Nexus Repository to distribute components to their customers, partners, or the wider development community. However, ensuring proper access controls is vital.
Follow these three steps for the best results:
- If you’re using anonymous access, ensure that it’s a fit for your use case. Ask yourself if you need unauthenticated users inside (or outside) your organization accessing your repositories. If you don’t, disabling it entirely is an easy step toward securing your SDLC.
- Use the search and browse features to check what repositories and content are visible to anonymous users.
- Whether or not you’re using anonymous access, review our documentation on access control best practices.
That takes care of what can be pulled out of your SDLC.
What about what gets into your SDLC?
Cybercriminals continue to target organizations through the components in open source repositories. Public repositories like npmjs.org and the Python Package Index make for ideal watering hole attacks — poison the well and all who drink from it are impacted.
These repositories are easily accessible, making it a relatively easy lift for cybercriminals. As a result, these types of attacks continue to work effectively.
Bad actors often contribute malware-infected software components to open source repositories. These compromised components are eventually distributed downstream and integrated into applications that businesses and consumers rely on. Once the malicious code infiltrates developers' machines and build environments, the adverse effects can begin immediately.
The malicious code can spread to internal corporate networks and even make its way into products delivered to customers. This is the definition of a software supply chain attack.
Attacks on public open source repositories have experienced a staggering increase, with an average of 742% yearly growth since 2019. The scale is so immense that detecting and preventing every single attack in real time would be impossible. Even if a malicious component isn’t used in the final product, allowing it to be downloaded is already too late.
Over the past three years, Sonatype's industry-leading Repository Firewall has detected over 115,000 newly published malicious packages in open source repositories. It is the only solution combining cutting-edge behavioral analysis with automated policy enforcement.
Repository Firewall persistently identifies and blocks harmful packages and known vulnerable components. It evaluates every newly-released open source software component—an average of over 600,000 per month—and determines if it is a potential threat.
Sonatype safeguards various environments (on-premise, disconnected, cloud, etc.) from the onset. We enable DevSecOps teams worldwide to enhance their software supply chain security against diverse malicious threats. Simultaneously, we allow developers to continue innovating without hindering their processes.
If you’d like to talk with us directly about supply chain security, reducing risk at scale, or anything open source, join us over at the Sonatype Community.
This post was developed with Elissa Walters and Audra Davis-Hurst.
.png)
