What if I told you that regardless of how much time, people, and money you invest in your security program, your network is almost certainly exposed to an easily exploitable security hole? The security hole I'm referring to is intentionally malicious components downloaded by your developers directly or via the automated DevOps processes that build your software using the same pipeline required to obtain legitimate open source components. This security hole is easily addressed with a solution like a repository firewall. Still, industry data shows that less than 1% of the world's largest enterprises have yet to take any steps to protect their network from this new and emerging threat.
At this point, you might be skeptical. If you are like most development and security pros we talk to, you might be thinking, "We are protected because we are already scanning our builds before pushing them to production," with a variety of security and software composition analysis (SCA) tools. Or perhaps you are thinking, "We have endpoint protection on the desktop that will catch malware." After all, how could such an obvious security hole exist in virtually every company that develops software, and almost no one is doing anything about it? This reality stems from three important facts.
New Attack Vector: We identified the first attacks in 2017, and this has exploded to a sophisticated, continuously evolving criminal ecosystem of over 340,000 intentionally malicious components as of May 2024.
Easy Access: Modern development and DevOps toolchains are designed to make it easy for corporate developers to access open source components from public repositories. The nefarious actors who develop intentionally malicious components understand exactly how your toolchain, security tools, and process work and are now targeting the enterprise with the most severe malware like commercial-grade hacking kits, password and data exfiltration, and ransomware that evade all scanners, including software composition analysis (SCA).
Confusion: Even many security pros are not well-versed in the distinction between legitimate open source components with vulnerabilities and intentionally malicious components (read here for a deeper dive).
These attacks are not new
Our industry saw a similar pattern unfold with the advent of commercial virus scanning with devastating results. Despite its availability beginning in the late 80s, virus scanning technology took years to become standard practice, leaving many systems vulnerable to cyber threats. Surprisingly, PCs still commonly lacked adequate protection from malware as of late 2013. There are some vital lessons here about why the adoption took so long - lack of awareness, user experience, risk fatigue, etc. History has taught us that the right thing to do must be the easiest thing to do. This is particularly critical with software developers and protecting from intentionally malicious components. This slow adoption curve for security technology like virus protection effectively enabled bad actors to see the potential, innovate, and to drive the spectacular growth of cybercrime from < $100 billion in 2000 to nearly $10 trillion today.
A similar story is unfolding today with devastating consequences within enterprise software development, given the almost universal adoption of open source and the explosion of intentionally malicious components. This is not a theoretical attack vector. We see the largest protected enterprises prevent breaches on a daily basis. Unfortunately, because so few enterprises are protected, we regularly assist organizations in identifying and mitigating serious infections or breaches caused by intentionally malicious components — it is often the first step in implementing a comprehensive software supply chain security program.
What you need to do next
Let's explore the mechanics of this attack vector and take action now if you lack protection. Software is predominantly composed of 80-90% open source components. As a result, binary repositories like Sonatype Nexus Repository are indispensable for proxying and sharing open source. Binary repositories enhance developer productivity, reduce dependency on third-party repositories, and provide a vital source of truth for software binaries.
Unfortunately, this very same ease through which developers can freely access and share millions of open source components from public repositories makes it just as easy for intentionally malicious components to infiltrate your network if you do not have the appropriate protection in place. In fact, the bad actors have "shifted left." Cyber attackers are aiming at your network with a new twist on old tactics. They're using malware disguised as open source software to trick even the savviest developers into unwittingly downloading harmful packages. These bad actors are well-versed in how modern security tools work and have crafted malicious components to directly target developer tools like IDEs, AI-powered code assistance tools, and CI/CD pipelines.
Once these intentionally malicious components infiltrate your system through a download during development or building, they immediately breach your network without alerting the developer or builder. Unlike legitimate open source software that may have vulnerabilities discovered in production, these malicious components exist solely to compromise your network.
Relying solely on scanning during the build process to detect this next-generation malware is ineffective, as malicious developers exploit this gap before your scans take place.
Now that you know the threat of intentionally malicious components, it's time to take action. Here's what you can do:
- Learn about the emerging threat of intentionally malicious components and the difference between legitimate vulnerable, open source components and intentionally malicious, purpose-built open source malware (click here to learn more).
- Cleanse your binary repositories: Ask Sonatype for a free scan of your repositories to identify malware that may already be in your environment.
- Investigate and remediate the impact of the malware already in your environment.
- Block malware from entering your developer toolchain, CI/CD, and repositories with Sonatype Repository Firewall.
Building software with open source and a binary repository without the right intentionally malicious component protection is fundamentally unsafe. That's why Sonatype Repository Firewall is here. It provides the industry's only proactive, AI-powered protection from malware delivered through your developer toolchain and CI/CD pipeline giving you the confidence and reassurance you need to protect your network.
Written by Mitchell Johnson
Mitchell has more than 25 years of experience as a developer, architect, team-builder and leader across a variety of high-growth roles in technology, data, product, and mergers and acquisitions, including stints at eVestment a Nasdaq Company, Equifax, Grant Thornton and Delta Air Lines. Mitchell comes to Sonatype from MAXEX, the mortgage industry’s first centralized exchange for trading residential mortgages. At MAXEX, Mitchell was responsible for of all aspects of product management, data, security and technology including development of the next generation SAAS/PAAS trading platform.