A new study from Sonatype finds that, in spite of a large spike in software supply chain attacks, 96% of the open source vulnerabilities that fuel these attacks can be negated simply by updating or using the right version.
While backlogged patching has been an obvious problem for some time, ensuring that correct components are in place is not made easier by the fact that only 11% of open source projects are still being actively maintained (dropping from 18% the previous year).
Lax state of open source drawing attention of malicious actors
High-level criminal actors have definitely taken note of the overall lax state of open source software and the openings it creates for software supply chain attacks. None more so than Lazarus, the state-sponsored North Korean team famous for stealing massive amounts of cryptocurrency in a variety of creative ways. The group recently planted a fake version of a VMware vSphere connector module that contained malware, discovered by security researchers two months ago.
But though open source projects are now rarely maintained on an ongoing basis, for every vulnerability or suspicious fork there is another version available that is safe to use.
Nevertheless, the report notes that over 10% of monthly downloads from Maven Central are of a vulnerable version of something. In about 40% of these cases it is due to no non-vulnerable version being available, roughly matching the expected number of about 4% of all downloads not having a known safe version. But the remaining 60% of these downloads, about 2.1 billion in total each month, are someone simply taking a vulnerable version when they did not need to.
One of the problems with keeping up with patches and updating is that the prescribed solutions, in this case more widespread adoption of software bills of materials, just creates even more work for the backlog. Outside of automated solutions, there are few good answers beyond simply increasing staffing levels.
The Sonatype report also indicates that software supply chain attacks may also be tied to poor estimations of maturity in this area. Most of the enterprise engineering professionals that were surveyed overestimated their software supply chain maturity, and there are particular problems in the areas of supplier hygiene and project consumption. 20% of the respondents also could not confidently tell if the organization had experienced software supply chain attacks in the past year.
3x increase in software supply chain attacks in four years
Better scanning to provide early warnings of anomalies, particularly automated tools that use AI, may end up being the only real answer in a world where the vast majority of applications make use of some sort of open source component.