Even common JavaScript frameworks, such as jQuery, React and others, aren’t immune to library abuse and exploits. One blog post from 2019 cited a heavy reliance on insecure JavaScript libraries in all of Michael Howard’s clients when polled on the issue. ReversingLabs founder and CEO Mario Vuksan wrote in a company blog recently that “The results are clear: Software supply chain attacks are on the rise, and the ripple effect of each one continues to get bigger.”
Veracode, which tracks application security, noted in their most recent analysis that over 70% of applications contain at least one open-source flaw, a percentage that sadly hasn’t changed much over the years.
Finally, there is the added dimension of how malicious code in the supply chain will impact generative AI models that are now coming into popular use across enterprises. Microsoft security guru Mark Russinovich spoke at this month’s Build conference about the various ways to poison or otherwise add malware to generative AI models, which is another form of third-party software supply chain attacks. This will be another hurdle for defenders to understand and create various protective measures.
Ways to mitigate third-party library risks
There are a number of techniques to mitigate the risks of third-party libraries. Chris Wysopal, the CTO and co-founder of Veracode, tells CSO that he wants software developers to be more proactive and “invest in the right kinds of tooling to find and fix vulnerabilities in their software supply chains and employ immediate fixes, governments must also acknowledge the potential risk to national security posed by open-source software.” This is a common refrain coming from him, harking back to earlier times when he was known by his hacker handle, Weld Pond, and when he testified before Congress about the topic.
As software gets more complex with more dependent components, it quickly becomes difficult to detect coding errors, whether they are inadvertent or added for malicious purposes as attackers try to hide their malware. “A smart attacker would just make their attack look like an inadvertent vulnerability, thereby creating extremely plausible deniability,” Williams says.
There are ways to help flag and eliminate these insecure libraries. In June 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a series of recommendations on how to improve development frameworks and coding pipelines to prevent third-party attacks. While the agency mentioned the benefits of third-party code to facilitate rapid development and deployment, there needs to be controls such as better and cryptographically stronger account credentials and restrictions of untrusted libraries, for example.
This post was originally published on the 3rd party site mentioned in the title of this this site