Software Composition Analysis Mitigates Systemic Risk in the Popular NPM Repository

Software Composition Analysis Mitigates Systemic Risk in the Popular NPM Repository

Chris Wysopal, Veracode Chief Technology Officer and Co-Founder, recently sat down to discuss the open source supply chain attack on the popular npm repository. Below is the transcript and corresponding video of his reaction.  

Just a few days ago, we saw a classic open source supply chain attack where someone modified a JavaScript library, UA-Parser-JS, which is in the npm repository. The attackers modified the library to include password stealers and crypto miners so that the applications of anyone who downloaded that version would be compromised. 

With an attack like this, the applications that are using this library with this code are going to be running that code with the privileges that they have, wherever they're deployed.  

In this case, it was malicious code that was planted. I'm sure it was done in such a way that everyone using those libraries is going to become vulnerable. 

If it's password-stealing code, it's going to grab the passwords and send them to the attackers. In the case of crypto miners, it's going to suck up resources and CPU time and send the money to the attacker's wallets. 

It’s important if you're using any kind of open source – which 99 percent of people building applications are – to use an open source software composition analysis (SCA) tool. What that can do is determine what open source you're using. Veracode SCA does this. Another important thing to do is make sure the vulnerability database that your SCA tool uses is current and up to date.  

At Veracode, we scan all the open source repos every single night. When this malicious code was inserted, we detected it right away. All of our customers were alerted that if they're using this version of the code, they need to update to the non-vulnerable version immediately.  

Veracode’s recent State of Software Security: Open Source Edition report shows that 79 percent of the open source libraries that developers include are set it and forget it, which means they include it once and they never update it. But the updates tend to be relatively straightforward. In fact, 92 percent of open source flaws can be fixed with an update. And 69 percent of updates are a minor version change or less.  

It is really important to have good and timely information about the vulnerabilities in the libraries you're using and a good process for updating the libraries …  hopefully in a very automated manner. That way you're updating these libraries without any manual effort, probably in minutes or hours instead of months. That could be the difference between an attacker compromising you or not.  

This is why it's so important to stay on top of all the known vulnerabilities in the open source libraries you're using as part of your application, because when you include that third-party code, your application is likely to become vulnerable to those same problems. 

Don’t fall victim to an open source attack. Learn how Veracode Software Composition Analysis can protect your code. 

Want to stay up to date on the latest Veracode news? Sign up for our monthly newsletter.   

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.