Open source security is key as cyber attacks increase 700x

A report has highlighted an increase in cyber attacks on open source supply chain ecosystems, with incidents increasing 700% over the past three years.

Cyber attacks on open source ecosystems have increased seven times over across the last three years, according to data from an annual report.

According to early data from DevSecOps automation specialist Sonatype's 8th annual State of the Software Supply Chain Report, which will be released in full in October, an average 700% jump in repository attacks has been recorded over the last three years.

To capitalise on weaknesses in upstream open source ecosystems, cybercriminals continue to target organisations through open source repositories. They contribute malware-infected software components that are distributed downstream and ingested by applications that businesses and consumers rely on. Sonatype says its repository Firewall has identified more than 55,000 newly published packages as malicious in open source repositories over the past year, and nearly 95,000 over the past three years.

Open source cyber attacks show no sign of slowing down

“Almost every modern business relies on open source,” said Brian Fox, co-founder and CTO of Sonatype. “Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down–making the early detection of both known and unknown security vulnerabilities more important than ever. 

“Stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.”

In 2021, 64% of organisations experienced software supply chain attacks, and approximately 70% of them lacked the right policies for using open source.

Earlier this year researchers from Sonatype identified hundreds of counterfeit packages in npm and PyPI repositories that were used to execute Remote Access Trojans (RATs). And a group of more than 200 malicious npm packages was found targeting Microsoft Azure developers to steal their Personally Identifiable Information (PII).

Digital supply chain attacks provide high return on investment for cyber attackers

According to Gartner, cybercriminals have discovered that attacks on the digital supply chain can provide a high return on investment. As vulnerabilities such as Log4j spread through the supply chain, more threats are expected to emerge. Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.

“Organisations worldwide are facing sophisticated ransomware, attacks on the digital supply chain and deeply embedded vulnerabilities,” said Peter Firstbrook, research vice president at Gartner. “The pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise – all while dealing with a shortage of skilled security staff.”

“The volume, frequency, severity, and sophistication of malicious cyberattacks continue to increase. Organisations can’t–and shouldn’t–avoid the use of open source just to protect themselves,” Fox added. “But they can use preventative tools–such as the Sonatype Firewall–to keep developers on track and software supply chains secure.”

Share

Featured Articles

How Zscaler AI Innovation is Powering Data Protection

With its AI-powered Data Protection Platform, Zscaler is delivering cutting-edge innovations to provide comprehensive data security

How NetApp Unified Data Storage is Powering the AI Era

With powerful unified storage, NetApp is enabling organisations to accelerate AI innovation and unlock the full potential of their data assets

Tech & AI LIVE London – One Week to Go

Just one more week to go until Tech & AI LIVE returns to the virtual stage – May 21 2024

What Adam Selpisky’s Shock Departure Means for AWS

Digital Transformation

SAP & FC Bayern: Technology Drives Efficiency & Scalability

Digital Transformation

EY: Tech CEOs Double Down on Tech, Data & Cyber Investments

IT Procurement