Security News

As cyber attackers increasingly look to capitalize on accelerating digitalization that has seen many enterprises significantly increase their reliance on cloud-based solutions and services as well as third-party service providers, software supply chain risk has become a major concern of organizations. Seventy-nine percent of security professionals responding to a recent survey conducted by the Neustar International Security Council indicated that their organization's reliance on cloud-based solutions has increased from pre-pandemic levels, with 48% saying their reliance has "Greatly increased." Similarly, 78% said their reliance on cloud-based services has increased, and 66% reported that their reliance on third-party services providers has increased.

The U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency have released tips today on securing the software supply chain. "Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said.

Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 to secure the ecosystem from supply chain attacks. Called the Open Source Software Vulnerability Rewards Program, the offering is one of the first open source-specific vulnerability programs.

Organizations are struggling to sufficiently secure new cloud environments implemented during the pandemic, while maintaining legacy equipment and trying to adapt their overall security strategy to the evolving landscape, according to a Proofpoint study released in collaboration with The Cloud Security Alliance reveals. "In the wake of COVID-19, organizations substantially accelerated their digital transformation initiatives to accommodate a remote workforce." said Hillary Baron, lead author and research analyst at CSA, the world's leading organization in defining standards, certifications, and best practices to help ensure a secure cloud computing environment.

Supply chain attacks are on the rise, and many organizations seem unsure on how to respond to the threat, but I'm here to tell you that there are several steps you can take to minimize your risk of being involved in a supply chain breach. To minimize any unknowns, start with a full audit of your IT environment, including any unapproved shadow IT. You need to understand exactly what hardware, software and SaaS products are being used, where the security gaps lie, and which vendors and partners your business relies on - including the nature of those interactions, from the types of data they process to system interfaces and various levels of integration.

The shift to cloud-native development, along with the increased speed in development brought about by the adoption of DevOps processes, has made the challenges connected with securing software supply chains infinitely more complex, according to recent research from Venafi. In this Help Net Security video, Kevin Bocek, VP of Threat Intelligence and Business Development, Venafi, discusses how CIOs are becoming increasingly concerned about the serious business disruptions, revenue loss, data theft, and customer damage that can result from successful software supply chain attacks.

It has also given the cybercriminal community new routes to break into systems, either by exploiting existing vulnerabilities in the software supply chain or by surreptitiously inserting their own. So just imagine how you'd feel if you found out that a software component or library that you'd developed had a vulnerability that left not just you, but your downstream customers and partners open to attack?

Researchers at ReversingLabs have uncovered evidence of a widespread software supply chain attack through malicious JavaScript packages picked up via NPM. NPM was acquired by Microsoft-owned GitHub in 2020 and has suffered from the odd issue or two over the years. The latest problem stems from typo-squatting, where an attacker offers up malicious packages with names similar to real packages.

An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise thousands of downstream desktop apps and websites. As researchers at supply chain security firm ReversingLabs discovered, the threat actors behind this campaign used typosquatting to infect developers looking for very popular packages, such as umbrellajs and ionic.io NPM modules.

Over the last two years, supply chain challenges have rocked both enterprises and consumers alike, making it harder to access certain goods and maintain business continuity. Security threats have only heightened these concerns, and an ISACA survey report illuminates IT professionals' key concerns around supply chain security challenges and how their organizations are responding to them.