This is the Trace Id: 3d13666519c9263ef8f29f1e7f695106

Open Source Software Supply Chain Threats

Open source is extremely beneficial to software development to expedite developer productivity and innovation. However, cyber attacks targeting open source are on the rise, and open source is a critical aspect of any software supply chain. Below is a list of real-life threats to open source software. Each threat is linked to a real security incident. Our framework provides the support to protect your supply chains and prevent threats like these from compromising your organization's software and development environment.

Comprehensive compilation of OSS supply chain threats

Threats Real examples Mitigation via OSS SSC Framework Framework requirement reference
Accidental vulnerabilities in OSS code or Containers that we inherit
Automated patching, display OSS vulnerabilities as pull requests
UPD-2, UPD-3
Intentional vulnerabilities/backdoors added to an OSS code base
Perform proactive security review of OSS 
SCA-5
A malicious actor compromises a known good OSS component and adds malicious code into the repo
Ability to block ingestion via malware scan, single feed, all packages are scanned for malware prior to download
ING-3, ENF-2, SCA-4
A malicious actor creates a malicious package that is similar in name to a popular OSS component to trick developers into downloading it 
OSS provenance analysis, single feed, all packages are scanned for malware prior to download 
AUD-1, ENF-2, SCA-4
A malicious actor compromises the compiler used by the OSS during build, adding backdoors 
Rebuilding OSS on trusted build infrastructure ensures that packages don’t have anything injected at build time
REB-1
Dependency confusion, package substitution attacks
Single feed, securely configure your package source mapping 
ENF-1, ENF-2
An OSS component adds new dependencies that are malicious 
All packages are scanned for malware prior to download, single feed
SCA-4, ENF-2
The integrity of an OSS package is tampered after build, but before consumption
Digital signature or hash verification, SBOM validation
AUD-3, AUD-4
Upstream source can be removed or taken down which can then break builds that depend on that OSS component or container
Use package-caching solutions, mirror a copy of OSS source code to an internal location for Business Continuity and Disaster Recovery (BCDR) scenarios 
ING-2, ING-4
OSS components reach end-of-support/end-of-life and therefore don’t patch vulnerabilities 
Scan OSS to determine if it is at end-of-life
SCA-3
Vulnerability not fixed by upstream maintainer in desired timeframe
Implement a change in the code to address a zero-day vulnerability, rebuild, deploy to your organization, and confidentially contribute the fix to the upstream maintainer.
FIX-1
Bad actor compromises a package manager account (e.g. npm), with no change to the corresponding open source repo, and uploads a new malicious version of a package
OSS provenance analysis, single feed, scan OSS for malware
AUD-1, ENF-2, SCA-4