Supply Chain Attacks – Risk Perception vs Reality
Supply chain attacks have surged in recent years, gradually becoming a formidable threat in the cybersecurity landscape. Yet, despite their growing prevalence, there seems to be a disconnection between the perception and the reality of their potential damage. A staggering number of developers exhibit a ‘not in my backyard’ mentality, assuming their codebases are secure and impenetrable. However, the actual metrics narrate a contrasting tale, revealing that plenty of software is susceptible due to vulnerabilities stemming from dependencies.
The Unseen Web of Dependencies
When developers integrate a library into their code, seldom do they realize the chain of dependencies that quietly intertwine with their software. A single library may bring along a myriad of other dependencies, each carrying its own set of vulnerabilities.
According to Sonatype, while only 10% of over 12,000 libraries had a vulnerability in their own code, the figure skyrocketed to 62% when considering transitive vulnerabilities from dependencies. This scenario, often underappreciated or overlooked, exposes software to a multiplicity of unseen threats, making it a ripe target for supply chain attacks.
A Mirage of Security
Ironically, even as the threats loom large, a substantial proportion of developers believe that their applications are not utilizing vulnerable libraries. Sonatype’s survey revealed that 68% of developers were confident that their applications were not employing known vulnerable libraries. However, a reality check provided by a scan of 55,000 enterprise applications showed that 68% of them indeed had known vulnerabilities.
This glaring disparity between perception and reality raises a critical question: why are developers blind to the risks lurking in their code?
The Illusion of ‘It Won’t Happen to Me’
This disparity is often fueled by an implicit bias, where developers, and even IT managers, perceive their code and practices to be above par. The ‘it won’t happen to me’ syndrome takes root, perpetuating a cycle of underestimation of risks and overconfidence in internal practices.
Furthermore, the complexity of managing and tracking the extensive web of dependencies, updates, and vulnerabilities becomes a daunting task. With each Java application containing an average of 148 dependencies (20 more than the previous year) and updating 10 times a year, developers are left grappling with managing intelligence on almost 1500 dependency changes annually per application.
The Peril of Negligence
Amidst all of this, the threat of malicious open-source packages is ominously on the rise. A whopping 88,000 malicious open-source packages (and versions thereof) were uncovered in a single year, indicating a proliferating risk to corporate systems due to both intentional and unintentional vulnerabilities. This surge in malicious activity is a testament to the increased use of open-source packages by development teams aiming to expedite time-to-market – often at the expense of thoroughly vetting security.
Shifting the Paradigm: Mitigating Unseen Risks
Mitigating these risks entails a paradigm shift in developers’ and organizations’ approaches towards software development and security:
- Acknowledge the Unseen: Developers and organizations must first acknowledge the potential threats that lie hidden within the dependencies of the libraries they use.
- Transparently Manage Dependencies: Employing tools and practices that ensure visibility and management of dependencies enables developers to gain a clear picture of all integrated libraries and their respective dependencies.
- Prioritize Security: The selection of components should prioritize security, even if it means opting for a less popular project with fewer vulnerabilities and a smaller dependency tree.
- Embrace Proactive Security Measures: It’s wise to give preference to a trustworthy source for your dependencies over popular, but unvetted, repositories. Services like TuxCare’s SecureChain for Java offer this exact feature.
- Continuously Monitor and Update: Ensuring continuous monitoring of dependencies for vulnerabilities and regular updating of libraries will help shield software from potential threats.
As the threat landscape continues to evolve, acknowledging the unseen risks and embedding robust security practices into the development lifecycle becomes an unavoidable concern. Overconfidence and underestimation induce a form of selective blindness that shields attackers just long enough to actively harm production software, and should be actively avoided to protect software from the burgeoning threats of supply chain attacks.
Developers and organizations alike must navigate through the intricate web of dependencies with a vigilant eye, ensuring that their code remains secure amidst the hidden perils that lie in wait.