DevOps All Day: A Third of Log4j Downloads Still Pull Vulnerable Version Despite Threat of Supply Chain Attacks

Adam Bannister November 14, 2022 at 16:16 UTC

Updated: Nov 14, 2022 4:54 PM UTC

AppSec engineer’s keynote says Log4j revealed lessons not learned from Equifax breach

Closing the proverbial backdoor to your networks “reduces the risks [of attacks] tremendously,” said Sean Wright, Application Security Engineer, at Friday’s All Day DevOps.

The keynote speaker urged security teams to implement “appropriate access controls” to protect against a 742% increase in “next-gen” supply chain attacks, a threat that is has multiplied since the SolarWinds incident rocked the open source ecosystem in December. 2020.

Among other techniques, attackers take advantage of typosquatting, dependency confusion, malicious code injections, package vulnerabilities, software protests, and account takeovers of package authors (the latter tricking managers into packages to implement multi-factor authentication (MFA)).

RELATED Researchers find 633% increase in cyberattacks targeting open source repositories

“Make sure your servers are really well defined [in terms of] what and who they can talk to,” said Wrightwho re-recorded his virtual presentation after technical issues interrupted his live appearance.

“Your servers should never, ever have outbound access open,” Wright advised.

Many modern supply chain attacks “rely on the fact that many organizations filter in, but never pay attention to what comes out,” Wright added.

Swim upstream

The dramatic increase in the size of the open source ecosystem has persuaded attackers to diversify beyond attack applications to target their upstream components as well, he noted. On the contrary, Wright was surprised that they hadn’t done it sooner and on a larger scale.

For context, his own research indicated that between 2015 and 2022 there were trillions of download requests on various package managers, with Java downloads up 3,870%, JavaScript up 13,900% and .NET up 34,100%.

When a typical application has 20-30 dependencies, which themselves will often have 5-10 dependencies with something like 10,000 lines of code each, finding vulnerabilities is not so much a “needle in a hay”, but a “needle in an open ocean”. challenge, according to Wright.

Application Security Engineer Sean Wright presented at All Day DevOps 2022AppSec engineer Sean Wright demonstrates dramatic growth in open source ecosystem

Resources such as Google’s Open Source Insights are therefore invaluable. This “awesome” tool creates dependency graphs for open source packages and annotates them with ownership, license, popularity, and other metadata.

Wright also recommended using Dependency Track for a centralized view of your software bills of materials (SBOM).

When a vulnerability surfaces, he advised security teams to pay more attention to the vector than the severity score, as the CVSS score often changes as the understanding of a bug deepens.

Purge your build system

The former software developer warned that while package managers are quick to remove malicious packages from public repositories, their use of caching means developers have to “purge” their private repositories and local build systems.

He praised a series of recent initiatives to strengthen the software supply chain – SLSA, Sigstore Cosign, NIST guidelines and OSSF Security Scorecards – but despite these resources, there is still a lot of work to be done.

Learn about the latest news on software supply chain attacks

After all, the critical Log4j bug showed that organizations had failed to learn the lesson offered by the Apache Struts bug that undermined Equifax’s reputation in 2017 – “we find that 33% of downloads are still the vulnerable version “, he lamented.

“You generally won’t allow any random stranger to commit code into your codebase,” Wright concluded. “But when we pull packages from random developers, that’s exactly what we do.”

All Day DevOps is a 24-hour conference focused on software developers. Presentations are still available for viewing upon request.

DO NOT MISS Passport-SAML Authentication Bypass Triggers Upstream Critical XMLDOM Bug Fix

Comments are closed.