A new report reveals a significant rise in risk related to open source vulnerabilities and software supply chain attacks. Security teams face increased challenges from attacks using malicious packages as the vehicle of choice.
According to a press release, the Open Source Risk Report was released by Mend last month and identified that the first nine months of 2022 saw the number of open source vulnerabilities increase by 33 percent over the same time period in 2021. A link to download the full copy of the report is included in the release.
The report's representative sampling from January to September 2022 of approximately 1,000 North American companies found that only 13 percent of vulnerabilities seen were remediated, compared with 40 percent remediated by those using modern application security best practices. With open source code used in 70 to 90 percent of applications today, more companies are finding themselves vulnerable to attacks as threat actors take advantage of the remediation gap.
"Open source vulnerabilities are slow to remediate for a few reasons," said Travis Smith, VP of the Threat Research Unit at Qualys. "One is there often is not a path to automated remediation, which is a key driver in bringing down the mean time to remediation and patch rate for vulnerabilities. Second these types of vulnerabilities are often embedded within other software programs which means these are more complex to discover than other vulnerabilities in programs like Windows or Chrome."
This related post tackles the topic of "Supply-Chain Security: Evaluation of Threats and Mitigations." According to the post from Mercari Engineering, the company examined:
"...the effectiveness of each countermeasure related to supply chain security based on the premise that 'the point of attack injection does not necessarily coincide with the point of execution.' In particular, we clarified the limited effectiveness of recently trending countermeasures such as a software bill of materials (SBOM) which are often adopted without much thought given to their actual efficacy as a solution."
The author continues: "Attack methods can be roughly classified into two categories:
- Those that compromise and abuse accounts and tokens.
- Those that infiltrate the supply chain by compromising and abusing dependencies."
The author said the study concludes "there is no single perfect measure to ensure supply chain security," adding "an SBOM is not a silver bullet, and an attestation does not provide an absolute guarantee. Each of these mitigations should be considered to be a single component in a multi-layered defense. That is why it is important to define the necessary requirements clearly and layer your defenses as much as possible. "
