Open source security is key as cyber attacks increase 700x

A report has highlighted an increase in cyber attacks on open source supply chain ecosystems, with incidents increasing 700% over the past three years.

Cyber attacks on open source ecosystems have increased seven times over across the last three years, according to data from an annual report.

According to early data from DevSecOps automation specialist Sonatype's 8th annual State of the Software Supply Chain Report, which will be released in full in October, an average 700% jump in repository attacks has been recorded over the last three years.

To capitalise on weaknesses in upstream open source ecosystems, cybercriminals continue to target organisations through open source repositories. They contribute malware-infected software components that are distributed downstream and ingested by applications that businesses and consumers rely on. Sonatype says its repository Firewall has identified more than 55,000 newly published packages as malicious in open source repositories over the past year, and nearly 95,000 over the past three years.

Open source cyber attacks show no sign of slowing down

“Almost every modern business relies on open source,” said Brian Fox, co-founder and CTO of Sonatype. “Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down–making the early detection of both known and unknown security vulnerabilities more important than ever. 

“Stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.”

In 2021, 64% of organisations experienced software supply chain attacks, and approximately 70% of them lacked the right policies for using open source.

Earlier this year researchers from Sonatype identified hundreds of counterfeit packages in npm and PyPI repositories that were used to execute Remote Access Trojans (RATs). And a group of more than 200 malicious npm packages was found targeting Microsoft Azure developers to steal their Personally Identifiable Information (PII).

Digital supply chain attacks provide high return on investment for cyber attackers

According to Gartner, cybercriminals have discovered that attacks on the digital supply chain can provide a high return on investment. As vulnerabilities such as Log4j spread through the supply chain, more threats are expected to emerge. Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.

“Organisations worldwide are facing sophisticated ransomware, attacks on the digital supply chain and deeply embedded vulnerabilities,” said Peter Firstbrook, research vice president at Gartner. “The pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise – all while dealing with a shortage of skilled security staff.”

“The volume, frequency, severity, and sophistication of malicious cyberattacks continue to increase. Organisations can’t–and shouldn’t–avoid the use of open source just to protect themselves,” Fox added. “But they can use preventative tools–such as the Sonatype Firewall–to keep developers on track and software supply chains secure.”

Share

Featured Articles

Building Cyber Resilience into ‘OT in Manufacturing’ webinar

Join Acronis' webinar, Building Cyber Resilience into ‘OT in Manufacturing’, 21st September 2023

Google at 25: From a Search pioneer to AI breakthroughs

Technology Magazine explores how the tech giant went from being based in a California garage to a pioneer in technologies from AI to quantum computing

McKinsey: Nine actions for CIOs and CTOs to embrace gen AI

McKinsey identifies nine actions to help CIOs and CTOs create value, orchestrate technology and data, scale solutions, and manage risk for generative AI

OpenAI ChatGPT Enterprise tier drives digital transformation

AI & Machine Learning

Sustainability LIVE: A must-attend for technology leaders

Digital Transformation

VMware and NVIDIA to unlock generative AI for enterprises

AI & Machine Learning