/* ---- Google Analytics Code Below */

Friday, June 18, 2021

Google's Method For Software Supply Chain Attacks

 Quite interesting  ...  a  'Software Supply Chain Attack', is inserting malware during its creation, transport or inclusion in some system. 

Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks  in TheRegister

Thomas Claburn in San Francisco Fri 18 Jun 2021 // 00:05 UTC

Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform.

SLSA – short for Supply chain Levels for Software Artifacts and pronounced "salsa" for those inclined to add convenience vowels – aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process.

"The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats," said Kim Lewandowski, Google product manager, and Mark Lodato, Google software engineer, in a blog post on Wednesday. "With SLSA, consumers can make informed choices about the security posture of the software they consume."

Supply chain attacks – attempting to exploit weaknesses in the software creation and distribution pipeline – have surged recently. Beyond the SolarWinds incident and the exploitation of vulnerabilities in Apache Struts, there have been numerous attacks on software package registries like npm, PyPI, RubyGems, and Maven Central that house code libraries developers rely on to support complex applications.

According to security biz Sonatype [PDF], attacks on open source projects increased 430 per cent during 2020. One of the various plausible reasons is that compromising a dependency in a widely used library ensures broad distribution of malware. As noted in a 2019 TU Darmstadt research paper, the top five npm packages in 2018 "each reach between 134,774 and 166,086 other packages, making them an extremely attractive target for attackers."    ... ' 

No comments: