Sonatype’s 9th annual “State of the Software Supply Chain Report” finds that while software supply chain attacks have spiked significantly year-over-year, 96% of the open source downloads that drive them have updated versions available that neutralize the vulnerability.
The problem is not entirely on the organizational patching side, however. The study also finds that only 11% of the surveyed projects are actively maintained, down 18% from 2022.
Software supply chain attacks double in a year, have tripled since 2019
Sonatype logged over 245,032 malicious packages in open source projects available to public download in 2023, double the number seen from 2019 to 2022. In total, one in eight open source downloads poses a risk. However, 96% of these projects have a version available that removes the vulnerability; the vast majority of exposures are coming from failures in timely dependency management.
After nine years, the report finds that correctable user behavior continues to be by far the leading cause of software supply chain attacks. End users are not necessarily set up for success, however, with 89% of projects listed on Maven Central sitting inactive. 18.6% of all open source projects across Java and JavaScript that were maintained in 2022 were dropped by the point of the study.
There also appears to be disconnect in the perception of vulnerabilities in open source projects. Though a large amount have them, 67% of respondents felt confident that none of their software relied on libraries with known vulnerabilities. 10% said that their organization had experienced a breach in the past 12 months traced to software supply chain attacks.
Some of the growth in software supply chain attacks can be attributed to malicious actors taking advantage of this general downturn in maintenance of software packages. Attackers often create their own build that delivers a malicious payload when executed, entirely separate from the normal development of the project. Open source security updates have generally focused on attacks on developers that lead to project compromise rather than this avenue, which continues to rely on volunteer efforts to flag and take down these malicious packages.
Professional criminal groups paying more attention to open source
The report also notes that higher-level professional criminals are showing increasing interest in software supply chain attacks, citing several examples. One of the foremost is North Korea’s state-backed Lazarus group, which created a malicious imitation of a VMware vSphere connector module that was detected by security researchers in August.
Despite ongoing issues with open source software maintenance, nearly all of the vulnerable downloads out there still have a better version available. The Log4J vulnerability was expected to be a persistent issue for up to a decade for exactly this reason, and the numbers continue to bear this theory out: about 25% of all new downloads of software containing Log4J are still carrying a vulnerable version, as of last month.
Thus, the report puts the bulk of the blame for the state of software supply chain attacks on the consumer. Despite a 96% chance of there being a problem-free version available, 3.97 billion of the 37.8 billion monthly downloads from Maven Central are those that contain a vulnerability. Only 1.8 billion of these downloads are of items that have no available fix, leaving over 2.1 billion installations of vulnerabilities each month that could be easily avoided.
What does the report see as the answer to this issue? Software bills of materials (SBOM) and proper DevSecOps practices, though these both can be tough sells for already beleaguered IT departments. Sonatype also cautions that open source automation tools should ideally have security features built in, as they often mask vulnerable dependencies. Developers also simply need to pay more attention to what components they are downloading, ensuring projects are active and maintained. Software composition analysis software may also consist in combing through existing inventories to find vulnerabilities.
Sonatype also separately surveyed 621 enterprise engineering professionals to gain insights on software supply chain maturity. The report finds that respondents tend to self-identify higher stages of maturity than they actually indicate they are at. Specific areas where organizations appear to be particularly struggling are supplier hygiene, project consumption, build & release, and digital transformation. 20% of respondents additionally say they are not sure if the organization has suffered a breach from software supply chain attacks in the past year.
Vulnerability discovery also remains somewhat slow. 39% of organizations say they discover vulnerabilities in no more than seven days, but over 36% continue to take more time.
Dave Ratner, CEO of HYAS, notes some technology measures that can be adopted to head off software supply chain attacks: “Developers need to become better decision makers, but the best resiliency and security hygiene will come from pairing these approaches with solutions that can detect the telltale signs of infection, such as Protective DNS solutions. By seeing the beaconing activity to command-and-control, they provide a security-in-depth strategy for resiliency and serve as the early-warning sign that something anomalous has snuck into the stack and needs to be addressed.”
Craig Harber, Security Evangelist for Open Systems, sees this as a natural consequence of a continued tendency to underfund IT departments: “From my perspective the findings in this report are not surprising, but frankly, they are extremely frustrating. The lack of mature vulnerability management and patch management processes have been the Achilles heel of most agencies and organizations for as long as I can remember. Real leadership is needed to bring forward a change. And it’s got to be more than drafting regulations and guidance. Investments are needed in automation and AI-driven decision support tools to enable IT teams to do their jobs effectively. System owners and stakeholders need to be held accountable if they fail to provide the IT teams the necessary direction and tools to be successful.”