Open source security is key as cyber attacks increase 700x

A report has highlighted an increase in cyber attacks on open source supply chain ecosystems, with incidents increasing 700% over the past three years.

Cyber attacks on open source ecosystems have increased seven times over across the last three years, according to data from an annual report.

According to early data from DevSecOps automation specialist Sonatype's 8th annual State of the Software Supply Chain Report, which will be released in full in October, an average 700% jump in repository attacks has been recorded over the last three years.

To capitalise on weaknesses in upstream open source ecosystems, cybercriminals continue to target organisations through open source repositories. They contribute malware-infected software components that are distributed downstream and ingested by applications that businesses and consumers rely on. Sonatype says its repository Firewall has identified more than 55,000 newly published packages as malicious in open source repositories over the past year, and nearly 95,000 over the past three years.

Open source cyber attacks show no sign of slowing down

“Almost every modern business relies on open source,” said Brian Fox, co-founder and CTO of Sonatype. “Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down–making the early detection of both known and unknown security vulnerabilities more important than ever. 

“Stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.”

In 2021, 64% of organisations experienced software supply chain attacks, and approximately 70% of them lacked the right policies for using open source.

Earlier this year researchers from Sonatype identified hundreds of counterfeit packages in npm and PyPI repositories that were used to execute Remote Access Trojans (RATs). And a group of more than 200 malicious npm packages was found targeting Microsoft Azure developers to steal their Personally Identifiable Information (PII).

Digital supply chain attacks provide high return on investment for cyber attackers

According to Gartner, cybercriminals have discovered that attacks on the digital supply chain can provide a high return on investment. As vulnerabilities such as Log4j spread through the supply chain, more threats are expected to emerge. Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.

“Organisations worldwide are facing sophisticated ransomware, attacks on the digital supply chain and deeply embedded vulnerabilities,” said Peter Firstbrook, research vice president at Gartner. “The pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise – all while dealing with a shortage of skilled security staff.”

“The volume, frequency, severity, and sophistication of malicious cyberattacks continue to increase. Organisations can’t–and shouldn’t–avoid the use of open source just to protect themselves,” Fox added. “But they can use preventative tools–such as the Sonatype Firewall–to keep developers on track and software supply chains secure.”

Share

Featured Articles

McLaren Racing & Alteryx Analytics: Data-driven to win

McLaren CEO Zak Brown, Head of Technology Ed Brown, and Alteryx Analytics’ CTO, Alan Jacobsen, detail the widespread organisational benefits of good data

Bitcoin’s climate footprint is a step in the wrong direction

Bitcoin mining is becoming more damaging to the climate, according to new research, with the cost of impact outweighing the cost of coins in some cases

ICYMI: The potential of 5G and Europe’s technology gap

A week is a long time in tech, so here’s a round-up of Technology Magazine articles that have been starting conversations around the world

Oracle NetSuite’s SuiteWorld 2022 - Day 3 Highlights

Data & Data Analytics

Unlocking 5G’s potential with network slicing

Cloud & Cybersecurity

Global tech teams rewarded by post-pandemic performance

Digital Transformation