There has been a huge spike in online searches around words like “SolarWinds” and “Hafnium Microsoft Exchange” in recent days and weeks—and for good reason. These high-profile security breaches have forced software supply chain security to the top of every technology leader’s priority list.
Sadly, although these are the most prominent of the recent software supply chain attacks, they are only the tip of the iceberg. Several other high profile exploits have recently come to light, including some that directly impact the open source components in your organization’s software supply chain. Just this past weekend, vulnerabilities in the npm package Netmask and an attack on PHP's Git server cropped up.
We thought it would be helpful to summarize the facts about these supply chain attacks, and share Tidelift’s advice on what your organization should do about them.
Software supply chain management and security defined
First things first: when we refer to the “software supply chain,” we mean the sum of all the technology, resources, and developers that go into creating your application, product, or service. While the recent interest in software supply chain management and security has been driven primarily by the attention that the SolarWinds attack has received, the number of catastrophic supply chain attacks impacting both open source software and proprietary software has certainly been increasing.
Making the news: software supply chain attacks
In December, news broke that SolarWinds was compromised: a few innocent-looking lines of code were inserted somewhere in the build process of SolarWinds’ Orion product. This code carried malicious intent, creating what is now known as the SUNBURST Backdoor where attackers were able to access the company’s development and distribution pipeline.
These trojanized updates were then downloaded by tens of thousands of SolarWinds customers. In response to the increasing threat caused by attacks like the one that impacted SolarWinds and its customers, the White House issued an executive order asking for a thorough review of all United States federal government software supply chains.
This order calls for the Secretary of Commerce and Secretary of Homeland Security to coordinate with heads of federal agencies to report on the security and integrity of software supply chains. In the executive order, President Biden requests:
"The Secretary of Commerce and the Secretary of Homeland Security, in consultation with the heads of appropriate agencies, shall submit a report on supply chains for critical sectors and subsectors of the information and communications technology (ICT) industrial base (as determined by the Secretary of Commerce and the Secretary of Homeland Security), including the industrial base for the development of ICT software, data, and associated services."
SolarWinds might have made the most front page news, but it’s not the only recent, mega-troubling attack. Tens of thousands of self-hosted email servers were left vulnerable as a part of the so-called “Hafnium” attack when weaknesses were exploited in Microsoft’s Exchange email platform. Entire inboxes were stolen in this indiscriminate and widespread attack.
These events build on a surge of recent open source software supply chain attacks. Some examples:
- New type of supply-chain attack hit Apple, Microsoft and 33 other companies
- The year-long rash of supply chain attacks against open source is getting worse
- Supply chain attack hits 26 open source projects on GitHub
Some say open source is less at risk due to the many eyes make all bugs shallow principle. But the SolarWinds and Hafnium attacks prove that even the world’s largest and most sophisticated organizations with extensive resources can become victims.
Open source supply chain attacks bring with them a new set of complexities
Managing the security of your organization’s open source supply chain can be incredibly complex. Proprietary software like SolarWinds is created by a single supplier, but with open source software, there can be dozens of open source maintainers with commit privileges for a single component. Up to 70% of code that makes up the modern application is open source—and wrangling thousands of different suppliers can seem like an insurmountable task.
Out of necessity, leading tech organizations have come up with their own ways to take control of their open source supply chain. For example Google’s centrally administered /third_party repository in their much-discussed monorepo gives internal developers access to known-good, proactively maintained open source components.
The best way to prevent open source software supply chain attacks is to implement a strategy for managing the open source in use across your organization. But most organizations don’t have Google-scale resources to implement that strategy.
Managing and securing your open source software supply chain
Our data shows that 92% of modern applications contain open source components. Open source is everywhere, and for good reason. It helps speed up the development lifecycle. It’s mandatory for modern software development, and organizations that significantly restrict it will be hobbled.
At Tidelift, we provide a proactive solution for managing the open source part of your organization’s software supply chain, keeping your developers moving quickly, while staying up to date and safe from attacks that threaten your organization.
Our solution is three-pronged:
- Tools: We provide the tools to curate, track, and manage catalogs of open source components and the policies that govern them. We also integrate seamlessly with your existing source code and repository management solutions like GitHub, GitLab, and JFrog Artifactory.
- Management: We research and advise you on how to resolve security, maintenance, and licensing issues. Use Tidelift-managed catalogs of pre-vetted, known-good components as a head start for your organization’s paved path and keep your developers moving fast and staying safe.
- Maintainers: We partner with a large and fast-growing network of open source maintainers who create and maintain the dependencies you use every day, paying them to keep their code secure and up to date—now and into the future.
Our partnerships with the maintainers not only ensure that the packages that you use will be accurately licensed, secure and well-maintained, but through the Tidelift Subscription, we pay the maintainers for their valuable work to strengthen the entire open source ecosystem and harden the supply chain.
What should I be asking my non-open source vendors?
When procuring software from proprietary vendors, or using software-as-a-service platforms, we recommend asking these three questions:
- What processes are in place to continuously monitor and identify risk in the third-party software that is incorporated into their offering, including open source components?
- What is their process for responding to and remediating the vulnerabilities that will inevitably emerge in that supply chain, including third-party community-created open source?
- How is my organization protected from the increasing threat of malicious code injection through targeted software supply chain attacks?
A proactive approach to charting your organization’s software supply chain strategy
Whether or not your board of directors has already requested it, every organization now needs a complete and proactive strategy for addressing third-party software supply chain risk.
Tidelift is uniquely capable of taking a proactive approach to managing and securing the open source used in your applications today. We partner directly with open source maintainers to ensure that not only is your code secure from dev through to production, but that it stays that way.
Want to see how Tidelift can help your organization manage its own source software supply chain?