I felt this article expressed their concerns about their in-house developed code or open-source library usages. Based on these discussions, I wanted to share some insight in efforts to be helpful:
Many applications today leverage open-source libraries and packages to ensure interoperability, usability of the program, and ensure proper user experience. Personally, my security team uses Python and Node for many of our in-house automations. The article shed light on many things for me, and urged me to walk over to my security and my enterprise teams and ask the question, “do we actually review, catalogue, and manage the dependencies forany of our code?”
This is a scary thought… I did not know the answer to the above and I’m supposed to be the security leader ensuring the safety of our company. This sentiment resonated with me, as well as the elegance of this hack. I found myself then asking, so what happens if an employee on my team leaves?“ Am I vulnerable? Can they still affect my in-house code?” The short answer to my earlier question is, if my employees code uses publicly updated libraries/repositories to ensure the code remains up to date, then yes, my company may be vulnerable to this hack.
If that happens, where we go from here? Well, I could start with an application Security assessment that will help identify if the current code is getting updated by public libraries/repositories. Now the key thing to note here, is that this attack only works if specific names packages are pulled. Given the detail in this article I could not determine which packages are vulnerable but considering that it was normal packages that big companies like PayPal, Apple, and Spotify use, I would have to assume anyone else can be at risk.
From there, I also wondered, how do you know if you were hit with this attack? Considering the article, that noted the exfiltration method is DNS, meaning you should be able to identify if you were hit with this attack. If when executing a “PIM” update for the python packages, your DNS requests start increasing with larger than normal DNS query packet sizes, then you may be experiencing the exfiltration of device data.
The second more concerning issue is how we as an organization prevent untrusted code from being delivered or utilized in our source that can interact with our whole code base as it is being executed?
The elegance of the hack in the article was that the researcher reviewed all the different dependency libraries for certain source codes, identified which dependencies accepted changes to their packages without review and used that entry point to insert his own code. The amount of effort for this researcher had to do to identify less secure dependencies must have been mind-boggling. Kudos to you.
But what does this mean now?
My good colleague mentioned that it might be a good time to address inventory management. Not asset inventory, which we all know and love (sarcasm), but a code/dependency inventory. Identifying all 3rd party software installed in our internally developed applications.
There are probably many ways to accomplish this task, but a good start is to audit ‘npm’ and ‘pim’ and find out which packages are checked and updated on a regular basis. Then focus on adding a review of this audit into your policies and integrating this audit as a regular operational process into your SDLC.
This isn’t a typical SDLC issue so why should we include it into this cycle? And you are right it isn’t. This approach straddles both SLDC and vulnerability management. Security typically owns vulnerability management but cannot interfere with dev-ops. We can help govern and secure dev-ops by introducing some of our process in the beginning of the process. That way the company is built with a security-first mindset and not an afterthought.
Now let’s talk next level, I know that SaaS and ERP solutions are in constant of development and deployment. New custom apps always being added to make sure they are able to assure the proper user experiences desired. What type of security are those developers doing to ensure their code isn’t using untrusted libraries or packages? What do you do to wrap security around that? I know what I would do, but I’m curious to hear what are your thoughts…