Supply Chain Attacks: How Can Enterprises Act? [White Paper]

Your third-party code suppliers don't have enterprise-grade security, putting your business at risk of supply chain attacks.

We are undergoing a Digital Transformation Era.

Companies across all sectors are investing in their digital platforms: e-banking, e-commerce, PWAs, streaming services, and much more.

Achieving differentiation in this Era means pushing software development teams to deliver highly advanced applications in record time.

Developing every single feature in-house has long stopped being sustainable. The development of digital products means re-using third-party code and integrating third-party scripts for added functionality.

Code Dependencies and Third-Party Scripts

The growth of JavaScript as the language of the Web has led to the emergence of libraries and frameworks — two promoters of development speed.

If we look at a typical development scenario for creating a React.js app with create-react-app, this step alone involves installing over 1,000 code dependencies. Most of them are open-source projects maintained by volunteers.

Something similar occurs when companies seek to extend the functionalities of their existing applications. Integrating third-party scripts enables easy access to many services, such as analytics, UX improvements, and ads. Recent analyses of web applications put this into numbers:

67% of code in web applications today is third-party scripts.

So, what happens when third-party developers or providers are attacked?

The Emergence of Supply Chain Attacks

Relying on third-party code has increased the attack surface of applications.

Instead of directly attacking a single high-profile company, why not breach a code dependency or third-party script?

Most third-party code providers don’t have enterprise-grade security systems.

By using code dependencies, companies trust their maintainers to keep this code innocuous. However, this is not always the case, as seen in the recent incident with the event-stream library. A volunteer gained legitimate control over the project, inserting a direct code dependency with malicious code. This code reached its target downstream, infecting production builds of the Copay cryptocurrency wallet and stealing account data and private keys from several Copay user accounts.

A single contributor with malicious purposes can compromise a component that inherently compromises thousands of projects using it as a dependency.

The risk is very similar when using third-party scripts. When an application directly loads a script, it accepts by default any change to this code made by the third-party provider. Because this third-party code has the same privileges as all the code developed in-house, it can directly compromise the entire application.

This is the modus operandi of the cybercriminal group Magecart: breaching third-party script providers to attack high-profile companies. The notorious British Airways breach was achieved by injecting malicious code into the Modernizr script that the company was loading on its website and mobile app. As a result, 380,000 customers had their credit card data stolen.

In all cases, companies take a long time to detect and react to these supply chain attacks, contributing to the magnitude of the ensuing data breaches.

Client-Side Mitigation of Supply Chain Attacks

Mitigating supply chain attacks requires addressing several cyber resiliency techniques, including Analytic Monitoring, Adaptive Response, and Substantiated Integrity.

To meet these mitigation techniques, companies must employ a security-in-depth approach. Investing resources on periphery defenses alone or SAST (Static Application Security Testing) is not enough. They are ineffective against supply chain attacks.

Client-side security solutions become detrimental in mitigating supply chain attacks, as these often operate through changes that are manifested on the client side.

Among several strategies, Webpage Monitoring enables mitigating these attacks in real time.

All actionable mitigation strategies are in our free Supply Chain Attacks white paper.

Conclusion

Supply chain attacks are increasing in frequency, as the return on investment for attackers is much higher when compared to typical cyber-attacks.

A single attack can breach thousands of companies by exploiting the clear weakest link in the software supply chain.

Third-party code isn't going anywhere. It will remain a standard development practice. The burden now falls on security teams to employ proper client-side security and mitigate supply chain attacks before becoming another costly headline.