Software Supply Chain Attacks Surge 650% in a Year

Software Supply Chain Attacks Surge 650% in a Year

The insatiable global demand for open source code packages has led to a triple-digit year-on-year surge in upstream software supply chain attacks, according to Sonatype.

360 Mobile Vision - North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

The supply chain management specialist compiled its 2021 State of the Software Supply Chain report from publicly available and proprietary data.

It claimed that global developers would borrow over 2.2 trillion open-source packages or components from third-party ecosystems to accelerate time-to-market. This includes Java downloaded from the Maven Central Repository, Python packages downloaded from PyPi, JavaScript from npmjs and .NET NuGet packages.

These shared code packages often contain publicly disclosed vulnerabilities that threat actors can exploit. However, increasingly cyber-criminals are getting more proactive, Sonatype warned.

“Next-generation software supply chain attacks are far more sinister, because bad actors are no longer waiting for public vulnerability disclosures to pursue an exploit. Instead, they are taking the initiative and injecting new vulnerabilities into open source projects that feed the global supply chain, and then exploiting those vulnerabilities before they are discovered,” the report noted.

“By shifting their attacks ‘upstream,’ bad actors can gain leverage and the crucial benefit of time that that enables malware to propagate throughout the supply chain, enabling far more scalable attacks on ‘downstream’ users.”

Such attacks have increased by a staggering 650% year-on-year, versus a figure of 430% last year, Sonatype said.

There were 216 such attacks detected over four years between February 2015 and June 2019. However, this figure rose to 929 during just a year (July 2019–May 2020). That number surged to a staggering 12,000 over the past year.

“We now know that popular projects contain disproportionately more vulnerabilities,” argued Sonatype EVP, Matt Howard.

“This stark reality highlights both a critical responsibility, and opportunity, for engineering leaders to embrace intelligent automation so they can standardize on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up-to-date with optimal versions.”

Major cyber-threat campaigns, including the attacks on SolarWinds and Codecov, highlight the potentially severe repercussions of code supply-chain compromises.

By admin