This article introduces “OSS Supply Chain Attacks”, a type of security problem arising in recent years. It has been an interesting topic that I had been observing for the past year. This post will introduce some basic background and cite a list of external links that you can explore with. Our team is also working on some related research, stay tuned!

Why should you care?

For Individual Users As individual users (esp. developers!), we sometimes need to run some binaries directly downloaded from Internet on our laptop. However, it doesn’t sound a very secure thing to do. Show HN: CLI tool for saving web pages as a single file

FreeHugs: One thing I always wonder when I see native software posted here: How do you guys handle the security aspect of executing stuff like this on your machines? Skimming the repo it has about a thousand lines of code and a bunch of dependencies with hundreds of sub-dependencies. Do you read all that code and evaluate the reputation of all dependencies? Do you execute it in a sandboxed environment? Do you just hope for the best like in the good old times of the C64?

In 2018, the average enterprise downloaded 313,000 open source component releases. –Sonatype 19

For Enterprise Users Also, it is even a bigger concern for software companies: 软件项目供应链管理的迷思 (in Chinese) discusses this potential problem from the perspective of hardware supply chain management, and emphasized a concept called BOM (Bill of Material). For many software today, its BOM can be chosen from millions of packages written by different people at different time, licensed differently and maintained differently. This apparently presented a great challenge for anyone who wants to audit the entire software stack. In this article, the author also mentioned a infamous attack of event-stream package in the NPM community:


Case Study: event-stream attack

Looking through the entire history, event-stream is never a single case:

A Shifting Battlefront of Attacks: Malicious Code Injection (From Sonatype SSC Report 2019 Fig 5E)

⊲ In 2018, across billions of open source component release downloads, 1 in 10 (10.3%) had known security vulnerabilities. ⊲ At today’s defect rate of 1 in 10 downloads, software component releases procured by development teams now sit at one sigma. ⊲ 51% of JavaScript package downloads contained known vulnerabilities. – Sonatype 2019

Potential Remedy

  • Mechanism level
    • How to manage the external dependencies better?
  • Technical level
    • How to automatically detect problematic new updates?
  • Business level
    • DevSecOps automation for OSS supply chain management?

Actions taken

In October 2018, the FDA released guidance for cybersecurity management of medical devices. The FDA’s report called for a Cybersecurity Bill of Materials (CBOM). – Sonatype SSC Report, 2019

The PCI (Payment Card Industry) standard also advises organizations to generate a software bill of materials (SBOM) so they can easily track and trace the location of every single component release embedded within their production software applications. – Sonatype SSC Report, 2019

Further Readings

Academic Research

  • On the impact of security vulnerabilities in the npm package dependency network
  • Why Do Developers Use Trivial Packages? An Empirical Case Study on npm
  • An empirical study of unspecified dependencies in make-based build systems
  • Do developers update their library dependencies? An empirical study on the impact of security advisories on library migration
  • In Dependencies We Trust: How vulnerable are dependencies in software modules?

Media Coverage