With our increasing reliance on third-party software, our supply chain has become very complex and comes with a large number of risks that have led to many high-profile supply chain attacks. Different breaches have different causes and involve multiple steps to execute a supply chain attack. To secure our supply chain and ecosystem, we should adopt an adversarial mindset. In this research, we studied the npm ecosystem from the views of a data-driven attacker, focusing on how an attacker would use and assess the publicly available information to identify the weakest link in a software supply chain and then execute a large supply chain attack. We proposed six signals of security weaknesses in npm software supply chain: 1) expired email domain; 2) install scripts; 3) unmaintained packages; 4) too many maintainers; 5) too many contributors, and 6) overloaded maintainers.

The Scorecard project auto-generates a “security score” for OSS projects with a list of security check metrics to verify baseline security standards and generate valuable information about OSS threats and risks. We evaluated the OpenSSF Scorecard security metrics in the npm and PyPI ecosystems to identify the security gaps and recommend practical automated security practices to practitioners. Our ML models showed Code-Review, Maintained, Branch Protection, and Security Policy as the most important metrics to improve package security..

Do I really need all this work to find vulnerabilities?

To build secure software while addressing the ever-growing attack surface, practitioners must utilize the available resources as efficiently as possible to remove the most vulnerabilities from software. Practitioners often use different technologies that optimize resources and increase efficiency to improve vulnerability detection efforts while not expanding the resources. Therefore, practitioners can benefit from guidance in selecting vulnerability detection and prevention techniques and tools. We apply six different categories of vulnerability detection and prevention techniques—SMPT, EMPT, DAST, IAST, RASP, and SAST—to a large Java application of an open-source medical records system to compare vulnerability detection techniques.