Proposed by: Shiva Abhishek
Open-source software supply-chain risks beyond CVEs: attacks and defense
- Modern software apps and services are built using open-source software (OSS) because of its benefits and ease of use. Today, OSS is distributed as ready-to-use packages on popular public package registries such as PyPi, NPM, and RubyGems.
- Due to the widespread use and popularity, bad actors evidently leverage novel supply-chain attack vectors beyond CVEs, such as Typosquatting, Social Engineering, and Dependency Confusion to compromise OSS packages and propagate malware.
- Yet, there is no robust way to analyze published OSS packages and measure supply-chain cyber risks. Existing vulnerability scanners such as Dependabot assume trusted/benign third-party OSS code, and do not analyze code behavior to address these modern threats.
- In this talk, we will present a FOSS tool, called Packj, for developers and security researchers to mitigate OSS supply-chain attacks. Packj analyzes several codes as well as metadata attributes that make a package vulnerable to supply-chain attacks, and flags all identified “weak links’’ for deeper review.
- For instance, Packj scans package metadata (e.g., Readme, homepage, description) to detect whether a package is dummy/typo-squatted/troll. It checks version history and release time gaps to detect if the package is actively maintained. It flags packages with no public availability of source code repo and that lack two-factor authentication (2FA). It also carries out static+dynamic code analysis to analyze programmatic behavior, and flags the use of file systems and network APIs that can exfiltrate sensitive data.
- By the end of this presentation, the audience will know various open-source supply-chain attack techniques, with examples and tools/approaches for identifying risky dependencies. We will demo the tool and showcase our findings on malicious packages that we reported to PyPI and RubyGems package registries.
Source code/Reference: https://github.com/ossillate-inc/packj
Talk duration: