What’s hiding in your code?

All Posts

Barak Brudo

Even simple projects have a way of ballooning quickly and that tendency is amplified by the ease of incorporating existing pieces of code or node libraries.

It is still somewhat manageable when you are the only one writing that code, but it becomes harder when code is written by a number of developers and teams, as is the case normally.

Even the team lead, the one in charge of approving all pull requests, can not know every line of code, every function, and every variable.

An issue of trust

That’s one of the reasons the minor code change that took place in the Orion app in late 2020, in the case later known as SolarWinds, went undetected for so long. The entire change was only a few dozen lines of code, and they were very well concealed inside the original class.

The changed product was properly signed, so there was no reason to suspect it, and development teams trusted the owner of the code.

Only recently we’ve learned that NPM had a “logical flaw” that enabled malicious actors to pass off rogue libraries as legitimate. Basically, NPM allowed adding anyone as a maintainer of a package without notifying these users or getting their consent. 

This enabled creating malware-laced packages and assigning them to trusted, popular maintainers without their knowledge. A case of misplaced trust could mean a problematic vulnerability hidden in your code.

Another common practice to consider is developers copying and pasting code from existing libraries or StackOverFlow for use in their own code or to reupload to new libraries. Doing that raises the chance of also copying insecure and vulnerable code that is now essentially untracked. Even if the original code will get a CVE and eventually remediation, the problematic function you copied is invisible and could contaminate any codebase that would use it for years to come. 

In a recent study conducted at the University of Kansas (“What the Fork? Finding Hidden Code Clones in npm”), the researchers illustrate how using even fully vetted packages can be unsafe.

What can you do about it?

So, you cannot trust the signed products and updates of vendors. Your very own code might have already been modified or added to, due to all those external libraries and code incorporated into it. What, then, can you do to really be certain you are not installing malicious files into your system?

There are a few things you can do:

  1. Request a complete SBOM from each library owner or program vendor you incorporate. An SBOM can help you make sure what all the ‘ingredients’ in the library or product are. Additionally, if you find something in the library or product that isn’t listed in the SBOM then it should be considered suspicious. You can learn more about what an SBOM is here.
  2. Request a trusted attestation from the vendor or library owner that an integrity check has been made and that you are getting what you expect. You should not have to trust only the vendor’s own assurance.
  3. When installing packages use the npm CLI flag --ignore-scripts to avoid executing scripts from 3rd party packages during the install phase.
  4. Use a package-lock.json file to lock package version numbers. When you use a package-lock.json you don’t only lock the package versions you’re using, you’re also locking their dependencies as well. The risk is that you won’t be pulling in any automated package updates that might include fixes to various bugs. But, if you have put in the work to verify a certain version and do not want to include anything else without verifying it first, than locking your version numbers is the best option.

Following new regulations, most people are expected to start using SBOMs in the very near future. The more companies will ask for SBOMs and other attestations, the more organizations and maintainers will have to comply.

This content is brought to you by Scribe Security, a leading end-to-end software supply chain security solution provider – delivering state-of-the-art security to code artifacts and code development and delivery processes throughout the software supply chains. Learn more.

Related posts

Feature image
How To Avoid CVE Burnout and Alert Fatigue in Vulnerability Scans?

CVE (Common Vulnerabilities and Exposures) scans are essential to securing your software applications. However, with the increasing complexity of software stacks, identifying and addressing all CVEs can be challenging. One of the biggest issues with CVE scans today is the prevalence of false positives, where a vulnerability is identified in a package that is not […]

An image illustrating AI goes wrong
What Happens When an AI Company Falls Victim to a Software Supply Chain Vulnerability

On March 20th OpenAI took down the popular generative AI tool ChatGPT for a few hours. It later admitted that the reason for the outage was a software supply chain vulnerability that originated in the open-source in-memory data store library ‘Redis’.   As a result of this vulnerability, there was a time window (between 1-10 am […]

Feature image
Using Valint To Apply Policies To Your SDLC

Valint is the main Scribe tool for creating, managing, signing, and verifying evidence. In a previous post, we covered the theory of using signing and verifying evidence as a main tool in validating the security of your CI/CD pipeline. As a short reminder, Scribe’s proposed model includes several building blocks that can be shuffled and […]

Popular Posts
A Secret Encounter in the Software Supply ChainWhat Has Changed in NIST’s Cybersecurity Framework 2.0 and Why Should You Care?CycloneDX SBOM Dependency Graph - What Is It Good For?SBOM Signing: Resolving An Ever-Changing Jigsaw
Categories