This year at FINOS we are focusing on one of FINOS' key existing projects: Open Source Readiness. This is FINOS' term for helping the finance industry "do open source properly".
This week, let’s talk about Supply Chain Security. The table below is from our upcoming article, “Open Source Supply Chain Security” which is in PR at the moment and needs feedback.
Here is a table from the article of some common supply chain attacks and vulnerabilities. How many have you heard of?
Attack Name | Description | Example |
An attacker publishes a package with the same name as a private package used by a specific company but in a public repository. If the company's build system is not properly configured, it may pull the malicious public package instead of the intended private one. |
||
Attackers can sometimes take over abandoned or poorly maintained packages and introduce malicious changes. They then publish the updated malicious version, and dependent systems automatically pull in these updates. |
us-parser-js. |
|
An attacker might create a fork of a popular open-source project, introduce malicious changes, and then attempt to promote or advertise this fork to unsuspecting users. |
||
An attack where a malicious actor registers a username and creates a repository used by an organization in the past but which has since changed its name. Doing so results in any project or code that relies on the dependencies of the attacked project to fetch dependencies and code from the attacker-controlled repository, which could contain malware. |
||
Some attackers contribute malicious code to popular and legitimate projects, usually through pull requests. If not thoroughly reviewed, the malicious code might get merged into the main project. |
||
To make a malicious package look popular and trustworthy, attackers artificially inflate the download count. |
||
In the trojan package infection method, the attacker publishes a fully functional library but hides malicious code in it. |
lemaaa |
|
Not strictly an attack, but publishing packages as jokes. Can harm the supply chain and cause dependency bloat. |
||
Exploiting weaknesses in parameter handling by package managers. |
||
Typosquatting is the practice of obtaining (or squatting) a famous name with a slight typographical error. |
"Amzon.com" |
Note: this table is just a list of notable examples. See The MITRE ATT&CK for a complete, authoritative list.
How many did you know?
If you’re working for a FINOS member and you live in New York, why haven’t you signed up to come to OSFF yet?
There are complimentary passes for employees of FINOS Member Firms so hurry up and register already!
The OSR and InnerSource SIGs are collaborating on running a booth at the event - would you like to help staff it? Get in touch if so!
If you haven't received your unique member code, please contact osff@finos.org and we’ll get you sorted.
Author: Rob Moffat
Interested in this FINOS open source project, or any of our other projects? Click the link below to see how to get involved in the FINOS Community.