Welcome to this issue of the WeAreDevelopers Live Talk series. This article recaps an interesting talk by Vandana Verma who introduced the audience interesting topic of supply chain risks.
About the Speaker:
Vandana is Security Solutions Architect at Snyk. She is a Vice-Chair of the OWASP Global Board of Directors. She leads Diversity Initiatives like InfosecGirls and WoSec. She is also the founder of InfosecKids. She has experience ranging from Application Security to Infrastructure and now dealing with Product Security. She has been Keynote speaker / Speaker / Trainer at various public events, including Global OWASP AppSec events, BlackHat events, and regional events like BSides events in India. Recently she spoke at the WeAreDevelopers Live Security Day.
Vandana starts her talk by showing a gif of a man arm wrestling with a robot. This is her metaphor for the fight of humankind against their own creations.
The robot symbolizes the technology that should get smarter and smarter, to help us with daily work. But the information necessary to achieve those tasks is getting uploaded and others might get downloaded from another source.
Vandana wants to focus on the download part in this talk, as there is a chance the packages you downloaded have malicious code and track you and/or your surroundings. According to her developers have a big role to play in that topic as they can identify and prevent this kind of malware. But on the other hand, they can easily become the vehicle for malware distribution. A good example of that would be the event-stream incident back in 2018 (npm Blog Archive: Details about the event-stream incident (npmjs.org)). In this case, a widely used Node.js code library was altered to include crypto-coin-stealing viruses. The package in question here was in use since 2011. The maintainers of the library asked the community to help them fix some issues with the code and many replied offering assistance. At that time a developer sent a merge request which was vulnerable. This vulnerability made it possible for a crypto miner to be added to the package. So afterward everyone who was using this library was actually running a crypto miner as well in the background and all their resources were getting flushed.
There are also some more recent incidents, like in January 2022, there was a maintainer who added a loop condition in one package. So, things like this keep happening and will not stop.
How much do you really know about your dependencies?
Vandana is sure that, as a developer, you must hear this term day in and day out. She’s been a developer as well as a security person so she knows the pain which everyone goes through by making people understand that there are issues.
First, you must realize, that there are certain dependencies that you will download as part of a package. And as most developers look for errors in their code up on the internet and just download a dependency, this is no exception rather than common practice. But since most of you won’t keep track of them it is easy for an attacker to make use of these packages and damage your application.
These attacks often happen also through IDE plugins. When you wait too long with updating those third-party tools you make it very easy to access your repositories and do a lot of stuff with them.
Cross-Site Scripting vulnerability
What is cross-site scripting? Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same-origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, carry out any actions that the user is able to perform, and access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
This circumstance was exploited by attackers on Apache Struts. There was an issue in version 2.3 that affected many organizations and in particular, it harmed Equifax. After Apache became aware of these issues they released a patch, but the code of this fix was faulted and therefore exploitable. So this proves how fast one can breach a system.
Lessons learned from this case:
1. Detect fast: Make sure to automatically monitor for new vulnerabilities and that your database it up-to-date.
2. Respond fast: Automated fixing into the process.
3. Do it at scale: with more than 100 vulnerabilities discovered each year, the scalable way to find fixes is to empower devs to be the implementers.
Supply Chain Risks
What is a supply chain basically? Thinks of a manufacturing supply chain or food supply chain where there are raw materials that are shipped to manufacturers where they are processed further, then on to a warehouse, delivery system and finally reach the customer. And with complex software developed nowadays, it is the same. We use external resources like frameworks, libraries, or CMS to make the final product. So, by attacking only one station of it you may infiltrate many systems. This is what we call a cascading attack, and this circumstance is often exploited.
Some (but not all) examples of the impact of these kinds of malware are: