It’s clear we are undergoing a . Companies across all sectors have placed significant investment on their own digital platforms: e-banking, e-commerce, PWA’s, streaming services, and much more. Digital Transformation Era Achieving differentiation in this Era means pushing software development teams to deliver highly advanced applications in record time. Developing every single feature in-house has long stopped being sustainable. Now, developing digital products means for added functionality. re-using third-party code and integrating third-party scripts Code Dependencies and Third-Party Scripts The growth of JavaScript as the language of the Web has led to the emergence of libraries and frameworks — two major promoters of development speed. If we look at a typical development scenario for creating a React.js app with , this step alone involves installing , which are mostly open-source projects maintained by volunteers. create-react-app over 1,000 code dependencies Something similar occurs when companies seek to extend the functionalities of their existing applications. Integrating third-party scripts enables easily accessing a myriad of services, such as analytics, UX improvements, and ads. Recent of web applications put this into numbers: analyses 67% of code in web applications today is third-party scripts. If modern applications rely so much on third-party code, what happens when third-party developers or providers are attacked? The Emergence of Supply Chain Attacks Relying on third-party code has greatly increased the attack surface of applications. Attackers rapidly identified this new weakest link in the software supply chain: (which likely has advanced security systems), , which is likely maintained by a single developer? instead of directly attacking a single high-profile company why not breach a code dependency or third-party script Most third-party code providers don’t have enterprise-grade security systems. By using , companies are trusting its maintainers to keep this code innocuous. However, this is not always the case, as seen in the recent with the library. A volunteer gained legitimate control over the project, inserting a direct code dependency with malicious code. This code reached its target downstream, infecting production builds of the Copay cryptocurrency wallet, stealing account data and private keys from several Copay user accounts. code dependencies incident event-stream A single contributor with malicious purposes can compromise a component which inherently compromises thousands of projects which are using it as a dependency. The risk is very similar when using . When an application directly loads a script, it accepts by default any change to this code made by the third-party provider. Because this third-party code as all the code developed in-house, it can directly compromise the entire application. third-party scripts has the same privileges This is the of the cybercriminal group : breaching third-party script providers to attack high-profile companies. The notorious British Airways breach was achieved by injecting malicious code on the Modernizr script that the company was loading on its website and mobile app. As a result, . modus operandi Magecart 380,000 customers had their credit card data stolen In all cases, companies take a long time to detect and react to these supply chain attacks, which greatly contributes to the magnitude of the ensuing data breaches. Mitigating supply chain attacks requires addressing several cyber resiliency techniques, including , , and . Analytic Monitoring Adaptive Response Substantiated Integrity To meet these mitigation techniques, companies must employ a . Investing resources on periphery defenses alone or SAST (Static Application Security Testing) is not an adequate approach, as these are ineffective against supply chain attacks. solutions become detrimental in mitigating supply chain attacks, as these often operate through changes that are manifested on the client-side. Among several strategies, enables mitigating these attacks in real-time. security-in-depth approach Client-side security Webpage Monitoring All these actionable mitigation strategies are outlined in our free Supply Chain Attacks white paper . Final Thoughts Supply chain attacks are increasing in frequency, as the return on investment for attackers is much higher when compared to typical cyber attacks. A single attack can breach thousands of companies, by exploiting the clear weakest link in the software supply chain. either. It will remain a standard development practice. The burden now falls in security teams to employ proper client-side security and mitigate supply chain attacks before becoming yet another costly headline. Third-party code isn’t going anywhere Read more in our free white paper . Originally published on the Jscrambler Blog .
