At RSA Conference 2023, the key theme for Mend is automation. Their focus is on helping people put their application security programs on autopilot. They encourage and enable the automation of as much of AppSec as possible because the manual ways of doing things just aren’t working. The Mend booth is located in South Expo, Booth #1543.
Mend will showcase its latest enhancements for automating dependency health updates and prioritization of items that can’t be automatically resolved. These enhancements focus on offloading decision-making from developers to allow them to spend their time developing. In modern cloud-native applications, just staying up to date requires significant manual effort. However keeping current can be easily automated with the right tooling that has the right features to ensure that updates do not add additional risk.
Tanya Janca will also be at the Mend booth on Tuesday from 11-1:30 for a Q&A and book signing of Alice & Bob Learn Application Security.
Jeff Martin, VP of Product at Mend comments:
“Supply chain security will certainly be at the forefront of many conversations. It’s on everyone’s mind right now as the application development industry matures and follows the models of already mature industries, such as manufacturing, transportation, and medical. We are now in the business of knowing how software products are built and what’s in them, making sure that they are secure, and–most importantly–communicating that supply chain and its security status to our customers.”
Can you provide a brief overview of how a supply chain attack works and why enterprises should be concerned? Where does the threat come from? How widespread can its reach be?
All supply chain attacks leverage one of three tactics: undesired behavior, abusing a trusted relationship, or attacking elements that are out of date.
Security teams and developers should be able to answer three questions about each component: “Is it safe?,” “How do I know when it becomes unsafe?,” and “Where is it being used?”
Ensuring that a component is safe requires a known and trusted supplier, desired and transparent behavior, and staying up to date. Monitoring for malicious packages ensures that the supplier is known and trusted, and protects against unknown supplier attacks like typosquatting, dependency confusion or hijacking, or the use of new libraries; undesired or unclear behavior like obfuscated code, protestware, cryptominers, and spam packages; and malware. Suppliers should provide transparency into responsible, disclosed, and fixed vulnerabilities to aid in ensuring all components are up-to-date. If a component is out of date, it should automatically be considered vulnerable.
Application security tools and software bills of materials (SBOMs) provide insight into when a component becomes unsafe, and where it is used so it can be updated and remediated quickly.
The damage from a supply chain attack can be far-reaching, especially where open source components are concerned. Open source code is widely used and currently represents 80-90 percent of the code base for modern software.
Can you share recent examples?
The 3CX compromise is one of the most recent high-profile examples. A software supply chain compromise spread malware via a trojanized version of the company’s legitimate software. The trojanized version contained malicious code that then downloaded a dataminer to steal browser information. Interestingly, the initial intrusion vector for this attack was determined to be a malware-laced software package distributed during an earlier software supply chain compromise.
Other recent examples include GitHub and Okta attacks in 2022, SolarWinds in 2020, ASUS in 2019, and CCleaner in 2017, to name a few.
What are some of your best tips for stopping supply chain attacks?
My number one suggestion is to automate dependency updates. Again, If a component is out of date it should undoubtedly be considered vulnerable.
It’s also important to know your risk. Create a software bill of materials and ask for the same from all third-party partners. Your SBOM and inventory management should contain all contents of a product, and must be easily searchable to aid in response to zero-day attacks.
Third, ensure that you’re using scanning tools on a regular cadence. SCA tools monitor for new known vulnerabilities and malicious packages and continuously answer that question of, “When does a component become unsafe?”
Are there other topics and trends you expect to see take center stage this year?
AI and machine learning and their impact on both the attacker side and defender side will be another hot topic.
Everyone seems to be attracted to the new and novel; however, the real issue with security is still the basics. There is no point in using a flashy AI to defend your system if the components within it haven’t been updated in five years. It’s akin to using a robot to guard your door, but leaving all of your windows open. Once you’ve taken the proper steps to secure all of your basics, then you can explore how the newest shiny technology can further enhance your security.