What is a vulnerability?

A vulnerability in your internal software supply chain is a potential attack vector related to the components of the SDLC under the control of your project or organization. The components include developer workstations, source code repositories, build systems, and storage artifact systems. Content such as software source code, infrastructure as code and configuration as code are also included.

A vulnerability in your external software supply chain exposes your dependencies to supply chain attacks. Your external supply chain consists of all dependencies outside your ownership and control – in other words, any code not written by your project or organization. Examples include: hardware such as servers and network equipment, vendor and open-source software, and software as a service and other cloud services.

‍

What was the Log4Shell incident?

Log4Shell was a remote code execution (RCE) vulnerability in versions of the Apache Log4j Java library, found in 2021. It is infamous because it was one of the most disruptive vulnerabilities to date, affecting a highly popular open source code base which was a critical dependency of a broad set of industry cloud services, including iCloud. It is, however, not the last RCE that we will experience. RCE vulnerabilities let attackers remotely run malicious code on a system, leading to data loss and complete compromise if not addressed. Keeping software updated is the answer, but that is easier said than done. As of late 2023 — a full two years after the Log4Shell vulnerability was disclosed and fixed — researchers found that 38% of applications are still using a vulnerable version of Log4j.

‍

What is spoofing?

In the context of third-party risk, spoofing is any attack that tricks a person or system into pulling down a package they believed to be from the right location. This is different from typosquatting where the user has a typo and pulls down a bad package. This can be something like DNS spoofing where something like your maven manifest, or go.mod dependencies file points to real packages, but your network is tricked into pulling down packages from a fake repository.

‍

What is typosquatting?

Typosquatting is one of the most common types of third-party supply chain attacks. Attackers name a malicious package or source repo similarly to a non-malicious package or source repo. Recently, a Python packaged called "request" was published to PyPI, the primary Python package registry. Python has a very popular HTTP library called “requests.” In the attack, the "s" was removed at the end of "requests," leading unsuspecting engineers to install and include a malicious package in their code because of a typo. This type of attack is becoming increasingly frequent as it is very simple to fork an existing package, inject it with malicious code, and then publish it with a name that's similar to the original package. Open source software is often the target of typosquatting as most vendor software comes from private package repositories that are less prone to this sort of attack.

‍

What was the xz incident?

The xz incident was a social engineering attack carried out over a long period of time in which one or more malicious actors gained privileges in a widely-used compression library by posing as a helpful contributor. After gaining access to the source code repository, the attacker introduced obfuscated code that added a “backdoor” to the library. This incident is considered a near-disaster because a developer discovered it by accident before the vulnerable version had spread widely. If it had, servers worldwide would have been open to remote access by the attacker. Read here for Kusari’s perspective on the lessons learned.