"Software Supply Chain Attacks Soar 742% in Three Years"
Researchers at Sonatype have uncovered 88,000 malicious open-source packages so far this year, a triple-digit increase on the same figure in 2019 and indicative of a fast-growing corporate attack surface. The researchers stated that there is a growing risk to corporate systems from both malicious packages inserted into repositories by threat actors and accidental vulnerabilities that are unwittingly downloaded by DevOps teams. The researchers noted that the surge in malicious activity is a testament to the growing use of open-source packages by these teams to speed time-to-market. The researchers estimate that open source requests will exceed three trillion this year. The researchers argued that the sheer scale of open-source consumption and the extra complexity introduced by software dependencies can mean threats and vulnerabilities are missed by developers. The researchers claim that the average Java application now contains 148 dependencies, 20 more than last year. With the average Java project updating 10 times a year, the researchers estimate that developers must track intelligence on nearly 1500 dependency changes annually for each application they work on. However, visibility into these development environments appears to be lacking: transitive dependencies accounted for six out of every seven bugs affecting open-source projects over the past year. The researchers noted that overall, 96% of open-source Java downloads contained known vulnerabilities that could have been avoided because a better version was available but, for some reason, wasn’t used. The researchers stated that, unfortunately, many organizations appear to be operating under a false sense of security. Many of the survey respondents (68%) were confident that their applications are not using vulnerable libraries. However, a random sample of enterprise applications showed that 68% contained known vulnerabilities.
Infosecurity reports: "Software Supply Chain Attacks Soar 742% in Three Years"