New OS Vulnerability Framework Offers First Step Against Supply Chain Attacks
Supply chain attacks have gained in strength and impact thanks to increasingly interconnected development cycles. Open source software (OSS) is a blessing to developers, offering swathes of pre-built functionalities that save time and resources. However, attackers are all too aware of the importance this code holds within not just finished applications – but to the end-users thereof. The privileged position of OSS is an ever-lasting nightmare for web application security.
The Growth of Supply Chain Attacks
As a result, supply chain attacks grounded factories and damaged small business operations continuously throughout the year. For example, in March 2022, Toyota was forced to suspend domestic factory operations after an attack targeted Kojima Industries Corp. – a key plastic and components supplier. Speculation quickly arose, given the attack’s occurrence shortly after Japan voiced public support for Ukraine and began freezing Russian bank accounts. The weakness allowed attackers to deploy ransomware throughout Kojima Industries; Toyota was forced to preventatively halt Japanese manufacturing, causing a 5% drop in monthly production.
Collectively, supply chain attacks continue to wipe billions off legitimate markets. One of the largest obstacles to reducing that attack surface has been limited visibility throughout the application production cycle. Now, however, security efforts are changing this.
“No Understanding in the Industry”
In other web app exploitation fields, such as endpoint and ransomware weaknesses, there are comprehensive and up to date frameworks for keeping an eye on the broader threat landscape. OSS has consistently suffered from a complete lack of comprehensive oversight, largely thanks to the industry’s complexity. Once a web app is shipped, there tends to be very little end-user insight into the vulnerabilities thereof.
The Open Software supply Chain Attack Reference (OSC&R) initiative aims to combat the vulnerability blindness plaguing development and upstream end-users alike. This is achieved by evaluating software supply chain attacks that cover large swathes of the relevant attack surface. This process includes third-party library vulnerabilities; reported supply chain attacks that have hit third-party components; and compromised software updates. The information is, for the large part, already out there, as widespread flaws within OS code are regularly made public. The goal of the researchers is to create an overarching framework that every organization will be able to use in order to evaluate their own software supply chain. This is achieved by the OSC&R’s focus on following the same steps that attackers would. By linking published OS vulnerabilities into comprehensive attack chains, OSC&R takes an on-the-ground and – most importantly – actionable approach to vulnerability management
Offering a single point of reference, organizations can now begin addressing how well their own defenses match up to the threats that are on the horizon. This can also help define what threats require prioritization, and further track the various activities and modus operandi of attack groups. By offering the MITRE ATT&CK of OSS vulnerabilities, the security stance of every impacted party can be improved.
Managing the Supply Chain Security Threat
While this framework offers a promising step in the right direction, knowledge of an exploit and protecting against its exploitation lie at two ends of the security funnel. Actively preventing the use of such devastating attacks relies on patch execution – a task becoming increasingly difficult for overwhelmed security teams buckling under the weight of patch backlogs. At the same time, public disclosure of OS vulnerabilities is very quickly followed by attackers attempting to use such flaws for their own gain. The race is on, and all too often lost by legitimate organizations.
Virtual patching offers one solution to the rapid-moving attackers. Web Application Firewalls (WAFs) are the traditional example thereof, but security technology has allowed for advancements that take virtual patching one step further. The WAF is traditionally a security tool that sits at the public-facing perimeter of an app. This monitors all data packets traveling to and from the app or website. A severe limitation of the traditional WAF is the policies that dictate its accept or block states: the very capabilities that allow it to defend against attacks. These were typically manually implemented; a task that took even more time and resources away from security teams. This reliance on manual implementation meant that WAfs were always one step behind. Now, however, next-gen WAFs are able to take the broader threat analysis of third-party providers and create policies automatically. This lightning-speed rule propagation empowers security to keep pace with development, even before a patch is issued.
Another virtual patch program vital for web app security is Runtime Application Self Protection (RASP). While WAF monitors an app’s communication with the outside world, the RASP wraps around the app, enabling the solution to monitor the internal behaviors and login of the code itself. By actively monitoring its inputs and outputs, RASP can immediately detect unexpected behavior. This can then terminate any attempt to exploit an existing flaw within an unpatched app.
With both RASP and WAF deployed, an application can be protected from common OS attack attempts, as well as totally novel attack approaches superseding even those listed in OSC&R.