Continuous Verification of Open Source Components in a World of Weak Links

Abstract

We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major im-plications for organizations. The widespread adoption of open source (99% of today's software utilizes open source), the ease of today's package managers, and the best practice of implementing continuous delivery for software projects provide an unprece-dented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact could be implementing backdoors, gathering intelligence, delivering malware, or denying a service. According to Sonatype, a leading commercial software security company, these next-generation supply chain attacks have increased 430 % in the last year and there is not a good way to vet or monitor an open-source project prior to incorporating the project. In this paper, we analyzed two case studies of compromised open source components. We propose six continuous verification controls that enable organizations to make data-driven decisions and mitigate breaches, such as analyzing community metrics and project hygiene using scorecards and monitoring the boundary of the software in production. In one case study, the controls identified high levels of risk immediately even though the package is widely used and has over 7 million downloads a week. In both case studies we found that the controls could have prevented malicious actions despite the project breaches.