Threat actors will always target the things most important to businesses, and today, that means applications–the lifeblood of the global economy. As the recent Mend Open Source Risk Report reveals, the ongoing rise in open source vulnerabilities and software supply chain attacks presents significant business risk. The number of open source vulnerabilities are growing, just as threat actors are launching increasingly sophisticated attacks.
I was inspired to write this after reading a post from Thomas Depierre on Mastodon. The post touched on something that’s been troubling me recently. When it comes to software security, we spend a lot of time talking about the software supply chain and related concepts, such as the software bill of materials (SBOM). This metaphor comes from an industrial lexicon. People who are used to talking about economies and how manufacturing works are familiar with the idea of supply chain.
Imagine a world where a single line of code, tucked away in a common library or framework, could bring your entire digital world to a screeching halt—welcome to the ever-evolving landscape of software supply chain security. Like any supply chain, the security of your software is only as strong as the weakest link in the system that produces and delivers working code.
At JFrog, we’re serious about software supply chain security. As a CVE Numbering Authority, our JFrog Security Research team regularly discovers and discloses new malicious packages and vulnerabilities posing a threat to development organizations. We know that in order to deliver trusted software on demand, you must have a secure software supply chain — making security a priority in everything we do.
Contributing members of the open source project git deployed a code change in June 2022 that switched the default file compression method from the gzip program to an internal gzip-compatible implementation. The change was made for performance reasons and to reduce the dependency on the aging gzip project. Unfortunately, it also impacted SaaS offerings like GitHub that use git under the hood. GitHub deployed the change and was also forced to quickly roll it back in January 2023.
Attacks on software supply chains have been around for some time, but recently they have evolved into much more dangerous threats. Let's dive into the SLSA framework to understand where supply chain security is headed.
Containerised deployment is widely becoming a standard in every industry, ensuring these containers are protected at every level with a high level of accuracy is one of the most important tasks. Some industry vendors rely solely on the manifest files to provide them with a list of components, others have to manually convert the container image to a TAR archive before scanning, and even then they may only work on the application layer instead of evaluating the entire filesystem.