Sep 09 · 4 min read
Modern software development and delivery is not done in a silo, on a single-developer machine. It is written in collaboration with teammates, external partners, and open source developers. Developers use various external packages or dependencies as they build applications. These packages are hosted in a repository like jFrog Artifactory, or a container registry like Docker Hub. They may seem safe because they are used by so many others, but lurking in these packages are hidden threats to your software security.
Dependency confusion attack is a new type of attack because it rides on the wave of collaborative programming. It takes advantage of centralized repositories like node package manager or a container registry to spread malicious code cloaked as legitimate clean code.
These dependencies make applications more flexible and robust. They can even make developers more productive by reducing the amount of boilerplate code a developer needs to write. However, all this comes at a cost – the security of the software system that uses these dependencies.
A malicious actor starts by placing a package with a similar, but misspelled name in the repository. Since developers install packages using manually typed commands such as npm and pip and manually enter the package name, they frequently misspell popular packages. In these cases, the developer would think they are downloading a legit package, but are actually downloading something with malicious code in it.
Once the attacker gains entry into the system using their package, they begin to sniff around for credentials, database names, ways to escalate privilege, opportunities to replace source code, and data they can steal. They start out with simple steps to cloak their actions, so they can slip under the radar of monitoring tools. If this is done successfully, the attacker can have access to the system for months or years and patiently wait for the opportunity to find an unsecured server, a misplaced secret key, or a way to gain privileged access.
Dependency confusion is an easy way to access very sensitive information, and once the CI/CD pipeline has been breached it can pave the way to access a company’s network and their software supply chain. The options for a hacker are numerous. They can steal data to sell on the dark web, blackmail a company into paying a ransom, use the company’s cloud resources for their own purposes like mining bitcoin, or in some cases, permanently delete a company’s data just because they can. For the organization, they risk losing their reputation, their customers’ trust, their competitive advantage, potential income, and more. There are too many reasons to take dependency confusion attacks seriously.
Is a dependency review enough?
Doing a manual review of all dependencies once in, say, a week or a few days is not the right approach. For one, any manual effort is bound to fail and be inconsistent. As a first step, Admins should disallow pulling packages/code from outside the company network, unless explicitly authorized to do so. In this case, the Ops team can have a pre-approved and vetted list of packages and registries that are safe for developers to download from. Even here, these packages need to be checked.
What’s needed is a security solution that automatically scans every package that is downloaded from an external registry. It should be able to view the code of every package to sniff for anomalies, check the package names, run a check with a CVE list to see if any known malware is present, and approve the package as safe for use. This is the only way a security Admin can sleep in peace knowing their system is not prone to external dependency confusion attacks.
Argon is one such solution that excels at identifying and preventing dependency confusion attacks. Argon is able to map out dependencies and identify any code that’s not part of the application and is coming from an external source. This code is scanned immediately. If the dependency is not validated and does not pass the test for some reason, Argon raises an alert. The Admin can set a policy to disallow any dependency that doesn’t pass this test until further review. From here, an Admin can look into the file and make a decision based on the input from Argon. This way, a security professional need not spend all their time chasing down dependencies. They can simply rely on the watchful eyes of a tool like Argon and only look into the priority cases as and when needed.
Further, Argon has the ability to add an exclusion pattern automatically, requesting the developer to “pull this code internally” if the same package is available internally. Sometimes developers may not be aware of all available packages, and this can be a big help to them.
In summary, dependency confusion attack is a new attack vector that is being used by many hackers to gain access into corporate systems. Many software teams are unprepared for these attacks and fall victim to them easily. By using a modern security solution like Argon, you can defend your system against all dependency confusion attacks and make you software supply chain airtight from external threats.
Modern software development and delivery is not done in a silo, on a single-developer machine. It is written in collaboration…
When building legacy or cloud-native applications, codebases can quickly become entangled. This complexity becomes an issue when your teams add…
There are many aspects to securing a software supply chain, and these keep changing and growing as technology advances. One…