Supply chain attacks are a growing threat to organizational cybersecurity. Since software is often dependent upon thousands of different pieces of third-party code, an organization’s attack surface is much larger than it appears on the surface. Securing applications with potentially vulnerable (or malicious) dependencies requires a solution like runtime application self-protection (RASP), which monitors the application’s behavior and takes action when anomalies are detected.
Application Dependencies are Growing More Complex
Code reuse is considered best practice in development. If an organization is developing an application and wants to have access to certain functionality, it is almost always a better idea to use an existing implementation than to try to develop their own.
This is true for a number of different reasons. Use of existing code means that the organization does not need to pay to have the code developed, which can reduce overhead. Additionally, every piece of code that needs to be designed, written, and tested takes time and pushes out release timelines. Finally, the organization may not have the expertise needed to implement the code, meaning that they either need to source the necessary talent or risk implementing incorrect code.
For all of these reasons, the number of dependencies that the average application uses is significant. In fact, the average web application contains over 1,000 different dependencies. On top of this, each of these dependencies has an average of 80 dependencies of their own. Like the proverbial iceberg, what you can see of the code of a web application is only a small part of the whole.
Supply Chains Introduce New Vulnerabilities
Code reuse provides a number of benefits to an organization; however, it also creates problems. The fact that software can have bugs, including exploitable vulnerabilities, comes as no surprise, and this also applies to the dependencies that web applications rely upon. These potential vulnerabilities (or embedded malicious code) can enter a program accidentally or intentionally.
The potential for inheriting vulnerabilities from third-party code is a very real one for modern applications. For many developers, their default response when they cannot determine the best way to implement desired functionality is to look at sites such as Stack Overflow, where users can post questions and answers. These answers often contain code samples, and, while these samples may implement the desired functionality, they may not be completely correct or secure.
These potential sources of third-party errors are combined with libraries and other code developed outside of an organization. While some libraries and other third-party code samples may be produced by organizations with strong code review processes in place, this is not true for all cases. When taking advantage of external code, an organization may be adding new vulnerabilities to their code as well.
Supply Chain Exploitation
While many vulnerabilities in external dependencies are created unintentionally, this is not the only or even the most dangerous source of third-party vulnerabilities. Cybercriminals are aware of the growing use of external code in applications and have begun taking advantage of it.
Certain sources of third-party code are commonly used by organizations. For example, Apache Struts, the open-source web server involved in the Equifax breach, is used by a large percentage of major organizations. By exploiting the developers of these commonly-used programs and inserting vulnerabilities, backdoors, or other malicious code into them, cybercriminals are able to dramatically scale their operations since they need to put little or no effort into gaining access to the network environments of new organizations.
The threat of attacks against the software supply chain has grown to the point where the Federal Bureau of Investigation (FBI) has issued a warning about the threat. Cybercriminals are currently engaged in a campaign where they infect organizations in the supply chain of certain industries (healthcare, industrial control systems, etc.) with the Kwampirs malware.
Kwampirs is a remote access trojan (RAT), which is a type of malware modeled upon the tools used by legitimate system administrators to remotely monitor and manage systems under their control. Once Kwampirs is installed on systems within an organization’s network, the cybercriminals can expand their footprint to gain access to code repositories and other critical systems, enabling them to embed malicious functionality within the organization’s products. Depending on the popularity of the software, this could enable attacks against hundreds or thousands of their customers.
Securing Programs with Untrusted Dependencies
Securing the supply chain is a complicated problem. Most organizations lack the resources to perform comprehensive code reviews of the thousands or tens of thousands of applications that their in-house code depends upon. Even if they did, maintaining that level of awareness and security would require audits after each update to determine if new vulnerabilities have snuck in.
On the other hand, leaving these vulnerabilities undiscovered places organizational security at risk. Even a single attack campaign against a single critical dependency can give a cybercriminal a foothold on the organization’s network.
This makes it necessary for organizations to design their cybersecurity to ensure that their systems remain secure even if their own software cannot be trusted. Implementing a zero-trust architecture limits the ability of an exploited application to access sensitive data, but it does nothing to protect data that the application has legitimate access to. To accomplish this, organizations need to deploy runtime application self-protection. RASP monitors the inputs, outputs, and behavior of an application, making it possible to detect anomalies caused by the exploitation of vulnerable dependencies in the software.