Practitioners often struggle with the overwhelming number of security practices outlined in cybersecurity frameworks for risk mitigation. Given the limited budget, time, and resources, practitioners want to prioritize the adoption of security practices based on empirical evidence. Therefore, developing empirical research to evaluate the security outcome of recommended practices is both a research priority and a fundamental prerequisite for evidence-based security decision-making. The study investigated the relationship between publicly available data on security practice adoption and security outcomes metrics. Our findings reveal that aggregated adoption of security practices is associated with 5.2 fewer vulnerabilities, 216.8 days faster MTTR, and 52.3 days faster MTTU. Repository characteristics have an impact on security practice effectiveness: repositories with high security practices adoption, especially those that are mature, actively maintained, large in size, have many contributors, few dependencies, and high download volumes, tend to exhibit better outcomes compared to smaller or inactive repositories. Among individual security practices, Code Review, Contributors from diverse organizations, License, CI-Tests, and Pinned Dependencies show strong associations with security outcomes.
Existing malicious code detection techniques demand the integration of multiple tools to detect different malware patterns, often suffering from high misclassification rates. Therefore, malicious code detection techniques could be enhanced by adopting advanced, more automated approaches to achieve high accuracy and a low misclassification rate. We present SocketAI, a malicious code review workflow to detect malicious code. Our baseline comparison demonstrates a 16% and 9% improvement over static analysis in precision and F1 scores, respectively. GPT-4 achieves higher accuracy with 99% precision and 97% F1 scores, while GPT-3 offers a more cost-effective balance at 91% precision and 94% F1 scores. Prescreening files with a static analyzer reduces the number of files requiring LLM analysis by 77.9% and decreases costs by 60.9% for GPT-3 and 76.1% for GPT-4.
With our increasing reliance on third-party software, our supply chain has become very complex and comes with a large number of risks that have led to many high-profile supply chain attacks. Different breaches have different causes and involve multiple steps to execute a supply chain attack. To secure our supply chain and ecosystem, we should adopt an adversarial mindset. In this research, we studied the npm ecosystem from the views of a data-driven attacker, focusing on how an attacker would use and assess the publicly available information to identify the weakest link in a software supply chain and then execute a large supply chain attack. We proposed six signals of security weaknesses in npm software supply chain: 1) expired email domain; 2) install scripts; 3) unmaintained packages; 4) too many maintainers; 5) too many contributors, and 6) overloaded maintainers.
Media Coverage:
PortSwigger : Data study reveals predictors of supply chain attacks in NPM repositories.
The Record by Recorded Future: Thousands of npm accounts use email addresses with expired domains.
The Register: Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point
The Register: How to find NPM dependencies vulnerable to account hijacking.
Aqua Security: New npm Flaws Let Attackers Better Target Packages for Account Takeover
Tools Integrating our weaklink signals:
Socket, packj, guarddog, sdc-check
Security Specialists are promoting our weaklink signals:
Absolute AppSec Ep. #165 - Portswigger 2021 Top 10, Supply Chain Attacks
Episode 332 - PyPI: 2FA or not 2FA, that is the question
Level1 News February 25 2022: Living In The Disney Vault
Announcing Socket for GitHub 1.0
Python Packaging and PyPI in 2022
The Scorecard project auto-generates a “security score” for OSS projects with a list of security check metrics to verify baseline security standards and generate valuable information about OSS threats and risks. We evaluated the OpenSSF Scorecard security metrics in the npm and PyPI ecosystems to identify the security gaps and recommend practical automated security practices to practitioners. Our ML models showed Code-Review, Maintained, Branch Protection, and Security Policy as the most important metrics to improve package security..
Media Coverage:
The Register : Boffins rate npm and PyPI package security and it's not good
Do I really need all this work to find vulnerabilities?
To build secure software while addressing the ever-growing attack surface, practitioners must utilize the available resources as efficiently as possible to remove the most vulnerabilities from software. Practitioners often use different technologies that optimize resources and increase efficiency to improve vulnerability detection efforts while not expanding the resources. Therefore, practitioners can benefit from guidance in selecting vulnerability detection and prevention techniques and tools. We apply six different categories of vulnerability detection and prevention techniques—SMPT, EMPT, DAST, IAST, RASP, and SAST—to a large Java application of an open-source medical records system to compare vulnerability detection techniques.