Open Source and Open Targets: A Comprehensive Analysis of Software Supply Chain Attacks in Open-Source Software

  IJCTT-book-cover
 
         
 
© 2024 by IJCTT Journal
Volume-72 Issue-8
Year of Publication : 2024
Authors : Varadharaj Varadhan Krishnan
DOI :  10.14445/22312803/IJCTT-V72I8P132

How to Cite?

Varadharaj Varadhan Krishnan, "Open Source and Open Targets: A Comprehensive Analysis of Software Supply Chain Attacks in Open-Source Software," International Journal of Computer Trends and Technology, vol. 72, no. 8, pp. 228-236, 2024. Crossref, https://doi.org/10.14445/22312803/IJCTT-V72I8P132

Abstract
Software supply chain attacks pose a significant threat to organizations worldwide. Open-source software enables threat actors to amplify the impact further, and it creates unique challenges for organizations using Open-Source Software (OSS). OSS-based supply chain attacks have a cascading impact, unlike a targeted attack on an organization. This paper provides a comprehensive analysis of OSS-based software supply chain attacks from 2010 to 2022. An empirical analysis was performed on the datasets available in the public domain. Advanced clustering analysis are used to identify distinct patterns in attack vectors, code base types, and distribution vectors. The study highlights the diverse methods and targets of OSS-based supply chain attacks. The findings from the analysis aim to empower security professionals with insights about the trends. They will be useful in determining the focus areas when attempting to bolster defense against software supply chain attacks. The paper also dives into the frameworks available for organizations to measure their maturity of defenses against supply chain attacks and covers actionable mitigation strategies to bolster their defense against such attacks.

Keywords
Software supply chain attack, Open-source supply chain attack, Cybersecurity, Open-source, Cyber defense strategies.

Reference

[1] John F. Miller, “Supply Chain Attack Framework and Attack Patterns,” MITRE Corporation, 2013.
[Google Scholar]
[2] Ericka Chickowski, Evolution of AppSec: 4 Requirements for the Software Supply Chain Security era, ReversingLabs, 2024. [Online]. Available: https://content.reversinglabs.com/state-of-sscs-report/the-evolution-of-app-sec-sscs-era
[3] Ax Sharma, CSO Online, 6 Most Common Types of Software Supply Chain Attacks Explained, 2023. [Online]. Available: https://www.csoonline.com/article/570743/6-most-common-types-of-software-supply-chain-attacks-explained.html
[4] Jaikumar Vijayan, ReversingLabs, Security Operations by the Numbers: 30 Cybersecurity Stats that Matter, 2024. [Online]. Available: https://www.reversinglabs.com/blog/secops-by-the-numbers-stats-that-matter
[5] Snyk, 2023 Software Supply Chain Attacks Report. [Online]. Available: https://go.snyk.io/2023-supply-chain-attacks-report-dwn-typ.html
[6] ReversingLabs, The state of Software Supply Chain Security Report, 2024. [Online]. Available: https://content.reversinglabs.com/state-of-sscs-report/the-state-of-sscs-report-24
[7] Carolynn Van Arsdale, ReversingLabs, The State of Software Supply Chain Security 2024: Key Takeaways. [Online]. Available: https://www.reversinglabs.com/blog/the-state-of-software-supply-chain-security-2024-key-takeaways
[8] European Union Agency for Cybersecurity (ENISA), Threat Landscape for Supply Chain Attacks. [Online]. Available: https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
[9] Mackenzie Jackson, GitGuardian, Supply Chain Attack: 6 Steps to Harden your Software Supply Chain, 2021. [Online]. Available: https://blog.gitguardian.com/supply-chain-attack-6-steps-to-harden-your-supply-chain/
[10] SLSA, Threats and Mitigations (version 1.0). [Online]. Available: https://slsa.dev/spec/v0.1/threats
[11] Clementine Maurice et al., “Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks,” Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 23-43, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[12] Scott Ikeda, Open Source Software Supply Chain Attacks have Tripled, but Nearly all Vulnerabilities are Avoidable by Updating, 2023. [Online]. Available: https://www.cpomagazine.com/cyber-security/open-source-software-supply-chain-attacks-have-tripled-but-nearly-all-vulnerabilities-are-avoidable-by-updating/
[13] Justin Bahr, Security Boulevard, Top Software Supply Chain Security Solution Approaches: Pros and Cons, 2022. [Online]. Available: https://securityboulevard.com/2022/11/top-software-supply-chain-security-solution-approaches-pros-and-cons/
[14] Sonatype, 9 th Annual State of the Software Supply Chain Report Reveals Ways to Improve Developer, DevSecOps Efficiency. [Online]. Available: https://www.sonatype.com/en/press-releases/sonatype-9th-annual-state-of-the-software-supply-chain-report
[15] Sonatype, Open Source Supply, Demand, and Security. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain/open-source-supply-and-demand
[16] Sonatype, 9 th Annual State of the Software Supply Chain Report. [Online]. Available: https://www.sonatype.com/hubfs/9th-Annual-SSSC-Report.pdf
[17] Trend Micro, Improving Software Supply Chain Security, 2022. [Online]. Available: https://www.trendmicro.com/en_us/ciso/22/l/software-supply-chain-security.html
[18] Dominik Wermke et al., “"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain,” 2023 IEEE Symposium on Security and Privacy, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[19] DFRLab, Software Supply Chain Security: The Dataset, 2023. [Online]. Available: https://dfrlab.org/2023/09/27/software-supply-chain-security-the-dataset/
[20] Sonatype, A History of Software Supply Chain Attacks. [Online]. Available: https://www.sonatype.com/resources/vulnerability-timeline
[21] The Linux Foundation, Brian Behlendorf Testifies on Open Source Software Security to the US House Committee on Science and Technology, 2022. [Online]. Available: https://www.linuxfoundation.org/blog/blog/lf/brian-behlendorf-testifies-open-source-software-security
[22] GitHub, Best Practices to Keep your Projects Secure on GitHub. [Online]. Available: https://github.blog/security/supply-chain-security/best-practices-to-keep-your-projects-secure-on-github/
[23] OpenSSF, Secure Supply Chain Consumption Framework (S2C2F) Simplified Requirements. [Online]. Available: https://github.com/ossf/s2c2f/blob/main/specification/framework.md
[24] Betul Gokkaya, Leonardo Aniello, and Basel Halak, Software Supply Chain: Review of Attacks, Risk Assessment Strategies and Security Controls. [Online]. Available: https://arxiv.org/pdf/2305.14157
[25] Piergiorgio Ladisa et al., Taxonomy of Attacks on Open-Source Software Supply Chains. [Online]. Available: https://arxiv.org/pdf/2204.04008
[26] David Uhler Brand, and Oliver Stussi, “Supply Chain Attacks in Open Source Projects,” Master Thesis, Lund University.
[Google Scholar]
[27] ArXiv, Preprint 2405.14993v2, 2024. [Online]. Available: https://arxiv.org/html/2405.14993v2