Menace landscapes: An upstream and downstream shifting goal

Lately, hackers have change into very subtle within the methods they assault upstream growth pipelines by introducing vulnerabilities into the software program provide chain. The recognition of open supply makes these repositories a low-hanging fruit to focus on.

In an SD Instances Stay! Occasion titled “Menace Landscapes: An Upstream and Downstream Shifting Goal,” Theresa Mammarella, developer advocate at Sonatype, defined how corporations can keep vigilant and be ready for these malicious assaults. 

“It turns into more durable and more durable as there’s increasingly more layers of software program constructing on prime of one another to truly know what’s in these purposes,” she defined. For instance, you can be utilizing Kubernetes, and that venture may very well be pulling in code from hundreds of different tasks that you just won’t even learn about. Mammarella labels these as “transitive dependencies.” 

In response to her, there are three fundamental assault factors in a software program provide chain. The primary is upstream, which includes downloading open-source or third-party componentss. The NPM assault is one instance of an upstream assault.

The second is midstream, the place an assault takes place someplace within the growth life cycle. An instance of that is the Log4j exploit.

And third is downstream, which is when an assault takes place throughout the deployed software. 

“So upstream, midstream, and downstream, this all makes me consider a river,” Mammarella defined. “And there’s a good motive for that. Niagara Falls, give it some thought, the water that’s upstream strikes quicker and spreads extra broadly than does the water within the midstream or the downstream of a river or waterfall. And people upstream assaults can have essentially the most impression on software program provide chains.”

In response to Mammarella, of the tens of millions of repositories on GitHub, a lot of these tasks get distributed to a whole lot of hundreds and even tens of millions of corporations. The preferred ones typically get focused essentially the most as a result of they’ve essentially the most variety of downloads and thus are extra enticing to attackers.

To study extra about how you can shield your software program provide chain, watch the recording of the occasion. 


Leave a Reply