SolarWinds Software Supply Chain Security: Better Protection with Enforced Policies and Technologies

Yang, Jeong; Lee, Young; McDonald, Arlen P.

doi:10.1007/978-3-030-92317-4_4

Cited by 7 publications

(2 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While the existence of malicious packages in different ecosystems is well-known [31], popular packages from reliable sources can also be compromised, such as through: (1) hijacking of a maintainer's account; (2) a maintainer going rogue; (3) account handover through social engineering; and (4) build system compromise. [31,40] Therefore, practitioners are now recommended to review dependency updates before merging them into the codebase [3,39], as the responsibility of security lies on the consumer when using free open-source code [38]. However, manually reviewing all the code changes in each update may not be a practical solution, as projects may have hundreds of direct and transitive dependencies [24,34].…”

Section: Introductionmentioning

confidence: 99%

Are your dependencies code reviewed?: Measuring code review coverage in dependency updates

Imtiaz¹,

Williams²

2022

Preprint

View full text Add to dashboard Cite

As modern software extensively uses free open source packages as dependencies, developers have to regularly pull in new third-party code through frequent updates. However, without a proper review of every incoming change, vulnerable and even malicious code can sneak into the codebase through these dependencies. The goal of this study is to aid developers in securely accepting dependency updates by measuring if the code changes in an update have passed through a code review process. We implement DepDive, an update audit tool for packages in Crates.io, npm, PyPI, and RubyGems registry. DepDive first (i) identifies the files and the code changes in an update that cannot be traced back to the package's source repository, i.e., phantom artifacts; and then (ii) measures what portion of changes in the update, excluding the phantom artifacts, has passed through a code review process, i.e., code review coverage.Using DepDive, we present an empirical study across the latest ten updates of the most downloaded 1000 packages in each of the four registries. Our study unveils interesting insights while also providing an evaluation of our proposed approach. We find that phantom artifacts are not uncommon in the updates (20.1% of the analyzed updates had at least one phantom file). The phantoms can appear either due to legitimate reasons, such as in the case of programmatically generated files, or from accidental inclusion, such as in the case of files that are ignored in the repository. However, without provenance tracking, we cannot audit if the changes in these phantom artifacts were code-reviewed or not.Regarding code review coverage (CRC), we find the updates are typically only partially code-reviewed (52.5% of the time). Further, only 9.0% of the packages had all their updates in our data set fully code-reviewed, indicating that even the most used packages can introduce non-reviewed code in the software supply chain. We also observe that updates either tend to have very high CRC or very low CRC, suggesting that packages at the opposite end of the spectrum may require a separate set of treatments.

show abstract

Section: Introductionmentioning

confidence: 99%

Are your dependencies code reviewed?: Measuring code review coverage in dependency updates

Imtiaz¹,

Williams²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Nonetheless, second factors can also be bypassed, for example, by phishing [11] and push notifications [20]. Consequently, authentication attempts and all other steps within the authentication lifecycle have to be monitored [31] to identify attacks, such as what happened at FireEye in the case of SolarWinds' Orion attack [29,45]. In addition, users might try to avoid 2FA or apply less secure user behavior, such as sharing 2FA tokens due to usability issues, resulting in reduced security [7].…”

mentioning

confidence: 99%

Evaluation of Real-World Risk-Based Authentication at Online Services Revisited: Complexity Wins

Makowski,

Pöhn

2023

Proceedings of the 18th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Risk-based authentication (RBA) aims to protect end-users against attacks involving stolen or otherwise guessed passwords without requiring a second authentication method all the time. Online services typically set limits on what is still seen as normal and what is not, as well as the actions taken afterward. Consequently, RBA monitors different features, such as geolocation and device during login. If the features' values differ from the expected values, then a second authentication method might be requested. However, only a few online services publish information about how their systems work. This hinders not only RBA research but also its development and adoption in organizations. In order to understand how the RBA systems online services operate, black box testing is applied. To verify the results, we re-evaluate the three large providers: Google, Amazon, and Facebook. Based on our test setup and the test cases, we notice differences in RBA based on account creation at Google. Additionally, several test cases rarely trigger the RBA system. Our results provide new insights into RBA systems and raise several questions for future work. CCS CONCEPTS• Security and privacy → Authentication; Web application security; Usability in security and privacy.

show abstract

A Checklist for Supply Chain Security for Critical Infrastructure Operators

Jaatun,

Sæle

2024

Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media

View full text Add to dashboard Cite

SolarWinds Software Supply Chain Security: Better Protection with Enforced Policies and Technologies

Cited by 7 publications

References 5 publications

Are your dependencies code reviewed?: Measuring code review coverage in dependency updates

Are your dependencies code reviewed?: Measuring code review coverage in dependency updates

Evaluation of Real-World Risk-Based Authentication at Online Services Revisited: Complexity Wins

A Checklist for Supply Chain Security for Critical Infrastructure Operators

Contact Info

Product

Resources

About