Page 44 - Cyber Defense eMagazine April 2023
P. 44

software teams almost always turn to code re-use from various third-party sources such as GitHub and
            Node Package Manager (NPM) for accelerated code development.

            While the availability of “ready to use” open-source software is a boon for rapid development and for
            meeting  aggressive  go-live  deadlines,  such  methods  unfortunately  expose  organizations  to  hidden
            software supply chain security risks.

            Since  late  2021  and  throughout  2022,  security  researchers  have  reported  several  incidents  where
            cyberattackers were found to have “poisoned” thousands of npm packages with malicious code designed
            to silently steal credentials, access tokens, API keys, install botnets or execute cryptocurrency mining
            software on developer systems as well as development/production servers. Such stolen information is
            then invariably used to launch a follow-up attack on the infected organization.

            Because thousands of npm packages are being published monthly and used by over 60% of software
            developers, it is one of most lethal and stealthy attack vectors that can be used to launch mass scale
            attacks and compromise multiple organizations.

            While network and endpoint security solutions have achieved decent adoption and penetration within the
            industry, the importance of software security and secure software development processes is lost on the
            average organization. As a result, software security lags the cyber threats that have evolved to take
            advantage of the general neglect and ignorance when it comes to securing the software development life
            cycle.

            As  is  evident,  the  threat  landscape  is  changing  rapidly,  and  cyber  adversaries  have  now  turned  to
            weaponizing trust and ignorance to target their victims with sophisticated tactics.



            How can organizations counter such risks?

            A few key initiatives that organizations can take to identify and manage such risks include -

               1.  Drawing  up  an  inventory  of  trusted  technologies  and  third  parties  and  conducting  a  risk
                   assessment to understand their exposure in the event that the trusted technology or supply chain
                   partner were to be breached.
               2.  Designing and testing incident response plans to assist the organization to resume operations or
                   recover securely in the event of a trusted attack.
               3.  Conducting organization-wide security awareness and training programs that educate staff on
                   identifying and responding appropriately to newly emerging cyberattack campaigns designed to
                   abuse trust.
               4.  Implementing multi-factor authentication mechanisms to prevent the risk of account compromise.
               5.  Reviewing and strengthening security configurations of their SaaS vendors
               6.  Reducing sensitive data sprawl to minimize the risk of data exposure from a breach.
               7.  Instituting a software security life-cycle program to identify the prevalence of risks due to open-
                   source software and the necessary processes to secure the software supply chain.








                                                                                                              44
   39   40   41   42   43   44   45   46   47   48   49