New guidance on software supply chain attacks released

NSA, CISA, OpenSSF release guides on preventing supply chain attacks

Image:
NSA, CISA, OpenSSF release guides on preventing supply chain attacks

Linux Foundation's OpenSFF releases npm security guide while US agencies NSA and CISA advise on hardening the component supply chain

The Linux Foundation's Open Source Security Foundation (OpenSSF) has released a best practices guide for developers using dependences from the package manager npm, and in the same week US security agencies NSA and CISA published their own guidance on mitigating the risk of software supply chain attacks.

Modern applications, both closed- and open source, are assembled from multiple components, the provenance and validity of which is not always clear.

Supply chain attacks, where threat actors compromise components of widely used software which then find their way into the application, have been a major focus of concern since the 2020 SolarWinds hack that saw numerous government and corporate entities compromised by state-backed hackers.

OpenSSF's npm Best Practices Guide

JavaScript and its offshoot TypeScript are among the most widely used programming languages today, and npm, which contains 2.1 million packages, is by some distance the largest collection of software libraries and components in existence.

Projects written in JavaScript or TypeScript frequently make use of tens or even hundreds of third-party open source software libraries hosted on npm, building on the work of others and meaning developers don't have to reinvent the wheel.

The existence of repositories like npm is one reason why open source development can happen so quickly, but they present a supply chain security risk if not used properly. JavaScript is generally used in potentially vulnerable web-facing applications, which is another reason why npm is a frequent target for attackers seeking to sneak their own malicious code into applications by way of corrupt dependencies.

In March, for example, more than 200 malicious packages targeting Azure developers were discovered removed from npm. These packages used the 'typosquatting' technique, giving their malicious package a similar name to a legitimate one in the hope that a careless coder making a minor typographical error will download the malicious package instead of the intended library.

Vigilance against typosquatting is the first section of OpenSSF's guide. Would-be users of a dependency should visit its GitHub page to check the spelling, and use tools such as deps.dev to find out about any transitive dependencies that could also pose a risk, it advises.

See also: All about SBOMs: the latest moves to secure the software supply chain

Transitive dependencies - additional code that may be called by a third-party dependency - are not listed in the package.json manifest and represent a risk that may not be understood, the guide notes, advising on ways to handle that issue.

Among other recommendations, OpenSSF says that reproducible installations should be used to guarantee that exactly the same dependencies are used each time the package is installed.

In addition, using lockfiles reduces the risk of downloading malicious packages by forcing a check of the hash of each dependency before it is installed.

The guide also covers configuring continuous integration (CI) systems using the principle of least privilege, to reduce the risk of unauthorised users from executing or writing code or accessing secrets, and advice on auditing, maintaining and updating dependencies.

"Developers who follow this guide will proactively harden their npm packages against the most common supply chain attacks," OpenSSF said in a blog post.

The npm guide is part of a wider series of advisories for coders called Best Practices for Open Source Developers.

OpenSFF, whose members include Google, IBM, JPMorgan Chase and Microsoft, is a cross-industry forum for a collaborative effort to improve open source software security. It was founded in 2020 and advised the US government on the content of Biden's 2021 Executive Order on cybersecurity measures.

NSA and CISA's guide

OpenSSF is not the only organisation producing advice on mitigating against software supply chain attacks. The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have also published a guide.

"Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations. This guidance consolidates valuable resources already published for developers to put to use," said a press release on the NSA's website.

The guide [pdf] contains advice on verifying third-party libraries, software bills of materials (SBOMs), secure development practices, and gives information about tactics used by attackers.

Clearly, there is a great deal of momentum behind software supply chain security at the moment - Illka Turunen, Sonatype

Commenting on the guidance, Illka Turunen, field CTO at Sonatype, said: "The best practices shared by the NSA and CISA lay comprehensive groundwork for organisations across the software supply chain to achieve the requirements established by President Biden's 2021 Executive Order on cybersecurity. They represent a meaningful step in the right direction, even if they are arguably very high level."

He continued "Clearly, there is a great deal of momentum behind software supply chain security at the moment, and a lot of best practice has been shared by government bodies and industry alike. Now, it is up to organisations and the wider developer community to put best practice into practice."