Software Composition Analysis Mitigates Systemic Risk in the Popular NPM Repository

Chris Wysopal, Veracode Chief Technology Officer and Co-Founderrecently sat down to discuss the open source supply chain attack on the popular npm repositoryBelow is the transcript and corresponding video of his reaction 

Just a few days ago, we saw a classic open source supply chain attack where someone modified a JavaScript library, UA-Parser-JS, which is in the npm repository. The attackers modified the library to include password stealers and crypto miners so that the applications of anyone who downloaded that version would be compromised. 

With an attack like this, the applications that are using this library with this code are going to be running that code with the privileges that they have, wherever they’re deployed 

In this case, it was malicious code that was plantedI’m sure it was done in such a way that everyone using those libraries is going to become vulnerable. 

If it’s password-stealing code, it’s going to grab the passwords and send them to the attackers. In the case of crypto miners, it’s going to suck up resources and CPU time and send the money to the attacker’s wallets. 

Its important if you’re using any kind of open source – which 99 percent of people building applications are – to use an open source software composition analysis (SCAtool. What that can do is determine what open source you’re using. Veracode SCA does this. Another important thing to do is make sure the vulnerability database that your SCA tool uses is current and up to date 

At Veracodewe scan all the open source repos every single nightWhen this malicious code was inserted, we detected it right awayAll of our customers were alerted that if they’re using this version of the code, they need to update to the non-vulnerable version immediately.  

Veracodes recent State of Software SecurityOpen Source Edition report shows that 79 percent of the open source libraries that developers include are set it and forget it, which means they include it once and they never update itBut the updates tend to be relatively straightforward. In fact, 92 percent of open source flaws can be fixed with an update. And 69 percent of updates are a minor version change or less 

It is really important to have good and timely information about the vulnerabilities in the libraries you’re using and a good process for updating the libraries …  hopefully in a very automated mannerThat way you’re updating these libraries without any manual effort, probably in minutes or hours instead of monthsThat could be the difference between an attacker compromising you or not 

This is why it’s so important to stay on top of all the known vulnerabilities in the open source libraries you’re using as part of your application, because when you include that third-party code, your application is likely to become vulnerable to those same problems. 

Dont fall victim to an open source attack. Learn how Veracode Software Composition Analysis can protect your code. 

Want to stay up to date on the latest Veracode newsSign up for our monthly newsletter  

Previous Post
Cybercrime Cyber Security

2020’s Top 10 Phishing Brands

Next Post
Solutions Business Cyber Security Guide How-to Tips Work From Home

How to write an ISO 27001 remote access policy

Cyber Security, Stress, Money News 2021