Supply Chain Attacks: How Can Enterprises Act?

It’s clear we are undergoing a Digital Transformation Era. Companies across all sectors have placed significant investment on their own digital platforms: e-banking, e-commerce, PWA’s, streaming services, and much more.

Achieving differentiation in this Era means pushing software development teams to deliver highly advanced applications in record time. Developing every single feature in-house has long stopped being sustainable. Now, developing digital products means re-using third-party code and integrating third-party scripts for added functionality.

Code Dependencies and Third-Party Scripts

The growth of JavaScript as the language of the Web has led to the emergence of libraries and frameworks — two major promoters of development speed.

If we look at a typical development scenario for creating a React.js app with create-react-app, this step alone involves installing over 1,000 code dependencies, which are mostly open-source projects maintained by volunteers.

Something similar occurs when companies seek to extend the functionalities of their existing applications. Integrating third-party scripts enables easily accessing a myriad of services, such as analytics, UX improvements, and ads. Recent analyses of web applications put this into numbers:

67% of code in web applications today is third-party scripts.

If modern applications rely so much on third-party code, what happens when third-party developers or providers are attacked?

The Emergence of Supply Chain Attacks

Relying on third-party code has greatly increased the attack surface of applications. Attackers rapidly identified this new weakest link in the software supply chain: instead of directly attacking a single high-profile company (which likely has advanced security systems), why not breach a code dependency or third-party script, which is likely maintained by a single developer?

Most third-party code providers don’t have enterprise-grade security systems.

By using code dependencies, companies are trusting its maintainers to keep this code innocuous. However, this is not always the case, as seen in the recent incident with the event-stream library. A volunteer gained legitimate control over the project, inserting a direct code dependency with malicious code. This code reached its target downstream, infecting production builds of the Copay cryptocurrency wallet, stealing account data and private keys from several Copay user accounts.

A single contributor with malicious purposes can compromise a component which inherently compromises thousands of projects which are using it as a dependency.

The risk is very similar when using third-party scripts. When an application directly loads a script, it accepts by default any change to this code made by the third-party provider. Because this third-party code has the same privileges as all the code developed in-house, it can directly compromise the entire application.

This is the modus operandi of the cybercriminal group Magecart: breaching third-party script providers to attack high-profile companies. The notorious British Airways breach was achieved by injecting malicious code on the Modernizr script that the company was loading on its website and mobile app. As a result, 380,000 customers had their credit card data stolen.

In all cases, companies take a long time to detect and react to these supply chain attacks, which greatly contributes to the magnitude of the ensuing data breaches.

Mitigating supply chain attacks requires addressing several cyber resiliency techniques, including Analytic Monitoring, Adaptive Response, and Substantiated Integrity.

To meet these mitigation techniques, companies must employ a security-in-depth approach. Investing resources on periphery defenses alone or SAST (Static Application Security Testing) is not an adequate approach, as these are ineffective against supply chain attacks. Client-side security solutions become detrimental in mitigating supply chain attacks, as these often operate through changes that are manifested on the client-side. Among several strategies, Webpage Monitoring enables mitigating these attacks in real-time.

All these actionable mitigation strategies are outlined in our free Supply Chain Attacks white paper.

Final Thoughts

Supply chain attacks are increasing in frequency, as the return on investment for attackers is much higher when compared to typical cyber attacks. A single attack can breach thousands of companies, by exploiting the clear weakest link in the software supply chain.

Third-party code isn’t going anywhere either. It will remain a standard development practice. The burden now falls in security teams to employ proper client-side security and mitigate supply chain attacks before becoming yet another costly headline.

Read more in our free white paper.

Originally published on the Jscrambler Blog.

Supply Chain Attacks: How Can Enterprises Act? was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.

Publication date: 
02/22/2019 - 19:14