With our increasing reliance on third-party software, our supply chain has become very complex and comes with a large number of risks that have led to many high-profile supply chain attacks. Different breaches have different causes and involve multiple steps to execute a supply chain attack. To secure our supply chain and ecosystem, we should adopt an adversarial mindset. In this research, we studied the npm ecosystem from the views of a data-driven attacker, focusing on how an attacker would use and assess the publicly available information to identify the weakest link in a software supply chain and then execute a large supply chain attack. We proposed six signals of security weaknesses in npm software supply chain: 1) expired email domain; 2) install scripts; 3) unmaintained packages; 4) too many maintainers; 5) too many contributors, and 6) overloaded maintainers.
Media Coverage:
PortSwigger : Data study reveals predictors of supply chain attacks in NPM repositories.
The Record by Recorded Future: Thousands of npm accounts use email addresses with expired domains.
The Register: Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point
The Register: How to find NPM dependencies vulnerable to account hijacking.
Aqua Security: New npm Flaws Let Attackers Better Target Packages for Account Takeover
Motivated by our study npm, PyPI and GitHub are now enforcing two-factor authentication on developer accounts.
Top-100 npm package maintainers now require 2FA, and additional security-focused improvements to npm
PyPI Repository Makes 2FA Security Mandatory for Critical Python Projects
Software security starts with the developer: Securing developer accounts with 2FA
Tools Integrating our weaklink signals:
Socket, packj, guarddog, sdc-check
Security Specialists are promoting our weaklink signals:
Absolute AppSec Ep. #165 - Portswigger 2021 Top 10, Supply Chain Attacks
Episode 332 - PyPI: 2FA or not 2FA, that is the question
Level1 News February 25 2022: Living In The Disney Vault
Announcing Socket for GitHub 1.0
Python Packaging and PyPI in 2022
The Scorecard project auto-generates a “security score” for OSS projects with a list of security check metrics to verify baseline security standards and generate valuable information about OSS threats and risks. We evaluated the OpenSSF Scorecard security metrics in the npm and PyPI ecosystems to identify the security gaps and recommend practical automated security practices to practitioners. Our ML models showed Code-Review, Maintained, Branch Protection, and Security Policy as the most important metrics to improve package security..
Media Coverage:
The Register : Boffins rate npm and PyPI package security and it's not good
Do I really need all this work to find vulnerabilities?
To build secure software while addressing the ever-growing attack surface, practitioners must utilize the available resources as efficiently as possible to remove the most vulnerabilities from software. Practitioners often use different technologies that optimize resources and increase efficiency to improve vulnerability detection efforts while not expanding the resources. Therefore, practitioners can benefit from guidance in selecting vulnerability detection and prevention techniques and tools. We apply six different categories of vulnerability detection and prevention techniques—SMPT, EMPT, DAST, IAST, RASP, and SAST—to a large Java application of an open-source medical records system to compare vulnerability detection techniques.