Open Source Software Supply Chain Threats

Open source is extremely beneficial to software development to expedite developer productivity and innovation. However, cyber attacks targeting open source are on the rise, and open source is a critical aspect of any software supply chain. Below is a list of real-life threats to open source software. Each threat is linked to a real security incident. Our framework provides the support to protect your supply chains and prevent threats like these from compromising your organization's software and development environment.

Download the guide to implement our framework and protect your organization from the OSS supply chain threats below

Comprehensive compilation of OSS supply chain threats

Threats	Real examples	Mitigation via OSS SSC Framework	Framework requirement reference
Accidental vulnerabilities in OSS code or Containers that we inherit	SaltStack	Automated patching, display OSS vulnerabilities as pull requests	UPD-2, UPD-3
Intentional vulnerabilities/backdoors added to an OSS code base	phpMyAdmin	Perform proactive security review of OSS	SCA-5
A malicious actor compromises a known good OSS component and adds malicious code into the repo	ESLint incident	Ability to block ingestion via malware scan, single feed, all packages are scanned for malware prior to download	ING-3, ENF-2, SCA-4
A malicious actor creates a malicious package that is similar in name to a popular OSS component to trick developers into downloading it	Typosquatting	OSS provenance analysis, single feed, all packages are scanned for malware prior to download	AUD-1, ENF-2, SCA-4
A malicious actor compromises the compiler used by the OSS during build, adding backdoors	CCleaner	Rebuilding OSS on trusted build infrastructure ensures that packages don’t have anything injected at build time	REB-1
Dependency confusion, package substitution attacks	Dependency Confusion	Single feed, securely configure your package source mapping	ENF-1, ENF-2
An OSS component adds new dependencies that are malicious	Event-Stream incident	All packages are scanned for malware prior to download, single feed	SCA-4, ENF-2
The integrity of an OSS package is tampered after build, but before consumption	How to tamper with Electron apps	Digital signature or hash verification, SBOM validation	AUD-3, AUD-4
Upstream source can be removed or taken down which can then break builds that depend on that OSS component or container	left-pad	Use package-caching solutions, mirror a copy of OSS source code to an internal location for Business Continuity and Disaster Recovery (BCDR) scenarios	ING-2, ING-4
OSS components reach end-of-support/end-of-life and therefore don’t patch vulnerabilities	log4net CVE-2018-1285	Scan OSS to determine if it is at end-of-life	SCA-3
Vulnerability not fixed by upstream maintainer in desired timeframe	Prototype Pollution in lodash	Implement a change in the code to address a zero-day vulnerability, rebuild, deploy to your organization, and confidentially contribute the fix to the upstream maintainer.	FIX-1
Bad actor compromises a package manager account (e.g. npm), with no change to the corresponding open source repo, and uploads a new malicious version of a package	Ua-parser-js	OSS provenance analysis, single feed, scan OSS for malware	AUD-1, ENF-2, SCA-4