t cht lk
vulnerabilities . Checkmarx expects Tactics , Techniques and Procedures ( TTPs ) like dependency confusion , typosquatting , repository jacking ( aka ChainJacking ), and star jacking , to become imminent cyberattack methods due to issues with open source .
What are the hallmarks of successful supply chain attacks and what are the worst outcomes ?
Successful supply chain attacks typically target the weakest link in the supply chain and usually involve the attackers replacing legitimate files with malicious files . These can result in several types of disastrous outcomes , such as ransomware attacks ( Colonial Pipeline ), SolarWinds ( 30K + companies affected ) and the like .
Dependency Confusion : A Dependency Confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository .
Chain Jacking : Developers often deploy software and packages to public registries for organisations , projects and other developers to implement ; attackers using chainjacking techniques will emulate typosquatting techniques . However , they use a legitimate former name of a package developer rather than a similar name .
What is the best practice approach to defending against these attacks ?
Could you share a few examples of different types of open source supply chain attacks ?
Open Source supply chain attacks are designed to confuse developers . Some examples include :
Companies need to provide their developers with proactive solutions to safeguard their development ecosystem . This means providing developers with solutions that allow them to treat open source code , with the same scrutiny as they treat their own proprietary code .
Typosquatting : Attackers purposely misspell package names , which are often common typos , hoping developers will make a mistake , or accidently grab a package that looks very similar to the one they are searching for .
Also , solutions which address the use of open source code have to start with identifying the OSS packages being used , called directly by application code or included indirectly . The next step is understanding if any of the packages being used contain
76 INTELLIGENTCIO MIDDLE EAST www . intelligentcio . com