Open source software 'increasing threat to supply chains'

There have been twice as many software supply chain attacks this year alone than in the previous three, new research shows.

The findings are in a report released by software supply chain management company, Sonatype. 

Its 2023 State of the Software Supply Chain Report indicates that this year has seen twice as many software supply chain attacks than the entire period 2019-2022. 

The chief problem is software developers who needlessly download vulnerable open source software when there are newer and safer versions of those downloads readily available. 

Sonatype logged 245,032 malicious packages in 2023, and says that as many as one in eight open-source software (OSS) downloads today pose “known and avoidable risks”.

Open source software 'big threat to supply chains'

Other headline findings include:

• Nearly all (96%) vulnerabilities are avoidable. A total of 2.1 billion OSS downloads with known vulnerabilities in 2023 could have been avoided with the download of newer, patched versions. “For every suboptimal component upgrade there are typically 10 superior versions available,” says the company.
• Only 11% of OSS projects are actively maintained. Sonatype analysed  more than 1 million OSS projects and saw an 18% drop off in actively maintained open source projects. “This finding demonstrates the importance of constant vigilance from consumers in tracking the health of dependencies over time,” says the company. 
• Most organisations (67%) believe they have their software supply chains under control yet 10% of respondents report they have suffered an OSS security breach in the past 12 months.
• More than a third (39%) of organisations discover vulnerabilities within one to seven days, with 36% taking over a week to patch any vulnerabilities. 

The profusion of freely available and unsafe software is especially damaging to supply chains, which are vulnerable to so-called back-door cyberattacks.  

Supply chains commonly comprise thousands of vendors, who are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to larger organisations.

Supply chain cyberattacks target vendors

Recent supply chain cyberattacks include the UK’s largest regional police force, the Metropolitan Police, which employs 35,000 police and civilian staff and remains on high alert following a security breach involving the IT system of one of its suppliers. The vendor in question has access to names, ranks, photos, vetting levels and pay numbers for Met officers and staff.

An even more catastrophic supply chain security breach was seen with the cyberattack on MOVEit, a managed file-transfer software service that encrypts files and uses secure File Transfer Protocols to transfer data. 

A ransomware gang hacked into multiple company networks and stole data. Organisations that suffered data breaches as a result of the hack include accounting firm PwC, professional services company Aon, the BBC, British Airways, Aer Lingus, Boots, Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Conizant and AbbVie.

Cyber experts warn that backdoor cyberattacks have the potential to put organisations out of business, and as a result mean a hacked company could face the threat of class-action lawsuits.

Brian Fox, CTO at Sonatype says the report “highlights suboptimal open source consumption habits as the root cause of open source risk”.

He adds: “The fact there’s a fix for almost all downloads with a known vulnerability tells us we should be giving developers access to the right tools. 

“The goal is to help developers be more intentional about downloading open source software from projects with the healthiest ecosystem of contributors.”