Software dependencies: The silent killer behind the world's biggest attacks
An application dependency can be described as a technology component, other application or server on which an application depends to perform its functions. Software developers typically have a specific technology stack in mind when building solutions. This can typically include operating systems, database engines and development frameworks such as Node.js, Angular or Spring. In addition, many modern applications use APIs to receive data from external services. All of these are dependencies that the application will require to function correctly.
Learn Secure Coding
Why managing Dependencies is Mandatory
In the early days of software dependencies, downloading and installing the necessary libraries was daunting. However, in recent years dependency managers like npm in Node.js and Maven in Java have made it much more convenient, allowing developers to include many small software packages in their software projects. Today many software projects include hundreds or even thousands of third-party libraries, all of which become dependencies of the main software program.
However, dependencies create risks that are often overlooked. Using external software as a dependency means relying on its developers to properly write, test and maintain that code. In addition to possible security holes in the dependencies of these programs, they can become outdated, reduce the quality of the software project that uses them, or even result in failure and downtime. The more dependencies are used, the higher the risk faced by the organization that uses them.
To make things worse, many dependencies have additional packages that they depend on, resulting in transitive or chained dependencies. Updating one dependency can break the whole chain and result in unexpected consequences — this is known in developer parlance as “dependency hell.”
Despite these risks, many organizations pay little attention to dependency management. Most dependencies today are third-party open-source libraries with little or no guarantees concerning security or software quality. The first step to addressing this problem is gaining visibility over dependencies used in software projects. Beyond this, organizations must have a strategy to manage these dependencies and ensure they use only high-quality, secure libraries in their projects.
Software dependencies: The silent killer behind the world's biggest attacks
SolarWinds
The cyberattack against SolarWinds was possibly the first global-scale supply chain attack. It involved a suspected national hacker group, Novellium, who gained access to thousands of networks, systems, and data managed by SolarWinds products. The attack started in 2020 but was discovered only in late 2021. Its breadth was unprecedented.
In this attack, hackers injected malicious code, known as the SUNBURST malware, into SolarWinds Orion system, a popular IT management system used by many large enterprises, including U.S. government agencies. Their approach was not to hack these networks directly but to target Orion — a third party with less stringent security measures, which had access to these large organizations.
Hackers penetrated SolarWinds’ development systems and created a malicious build of the Orion platform, creating a backdoor that allowed hackers to access and impersonate users and accounts of SolarWinds customers. The malware could access system files and infiltrate the legitimate activities of SolarWinds customers without being detected by antivirus software because SolarWinds itself was a trusted software product.
Log4j
The Apache Log4j project, one of the most widely distributed open-source software, provides logging capabilities for Java applications.
The Log4j exploit started as a bug but later evolved into a series of security issues with the root cause of the exploit in Log4j’s Java Naming and Directory Interface (JNDI) interfaces.
In 2021, CVE-2021-44228 was discovered — a remote code execution (RCE) vulnerability in several software versions. The RCE flaw is due to how Log4j interacts with JNDI without properly validating all requests. This means attackers who gain access to log messages can inject malicious messages to allow arbitrary code execution on vulnerable systems.
The NIST National Vulnerability Database rated CVE-2021-44228 as 10.0, the highest possible severity score in the Common Vulnerability Scoring System. Hundreds of thousands of attacks were recorded in the days and weeks following the discovery of the vulnerability.
Kaseya
In 2021, many Managed Service Providers (MSPs) and their customers were victims of the REvil Group ransomware attack, resulting in extensive downtime for over 1,000 companies.
The focus of the attack was the Virtual System Manager (VSA), a remote monitoring and management software package developed by Kaseya. An authentication bypass vulnerability in the software could allow attackers to compromise VSA and distribute malicious payloads through a software-controlled host.
In response, the company shut down its VSA cloud and SaaS servers and issued a security advisory to all customers, including customers using VSA on-premises.
4 Tips for addressing the risk of software dependencies
Software dependency management recognizes that dependencies are unavoidable but aims to organize them and reduce risk. The software will inevitably have some dependencies — such as operating systems, graphics libraries, databases and other ready-made components. The focus is on identifying these dependencies and trying to minimize dependencies to those that are needed for the software project and do not represent excessive risk.
Here are a few ways to reduce the risk of software dependencies in your software project.
1. Map dependencies
You can only optimize if you know where your dependencies are. There are many tools to help with dependency mapping, including dedicated application dependency management (ADM) solutions and automated build tools. These tools help keep track of software dependencies in detail throughout the build and deployment process.
Mapping dependencies provides visibility into the presence of vulnerabilities and important insights about where dependencies are used in the code and how and when they are called. This can help you find optimization opportunities. Another impact is on digital forensics efforts - identifying dependencies and their relationships can be critical for understanding and mitigating cyberattacks against complex software systems.
2. Eliminate unnecessary dependencies
It is important to consider how applications use third-party libraries and components. One application might use only a small subset of the functionality or features of an extensive utility library. Another application might include many smaller components. Eliminate any dependencies that are not actively used by the application. For those that are actively used, consider how to consolidate dependencies and avoid including dependencies with additional functionality that is not used by the application.
3. Use established repositories
Some environments, such as Linux, Java, Ruby and Python, have established free/libre and open source components repositories. Examples include npm for JavaScript, Maven for Java and the gem package manager for Ruby. Developers can easily download packages from these repositories and include them in their project builds.
While this approach can support a more standardized development environment and reduce the impact of missing, outdated or incompatible dependencies, it does not guarantee quality or security. Even established repositories can include out-of-date, vulnerable or even malicious packages.
4. Scan all dependencies
Automated tools can scan third-party dependencies and identify risks, including security and compliance issues. The most common technology used for this purpose is software composition analysis (SCA), which provides a software bill of materials (SBOM) that details exactly what direct and transitive dependencies are included in your code. SCA checks for security issues by checking third-party libraries against publicly available vulnerability databases.
In addition, static application security testing (SAST) can scan the actual source code of third-party libraries for vulnerabilities, alerting you to security and quality issues, even if they are not publicized as vulnerabilities. High-priority alerts from SCA, SAST or similar tools should be taken seriously, and problematic packages should be removed or replaced.
Learn Secure Coding
The "silent killer" that is software dependencies
I covered three global-scale cyberattacks that exploited vulnerable dependencies in their victims’ infrastructure. Finally, I provided four tips that can help mitigate the risk and prevent future attacks:
- Map dependencies - use automated tools to identify which dependencies exist in your environment and their relationships.
- Eliminate unnecessary dependencies - remove dependencies that are not required to reduce the attack surface.
- Use established repositories - ensure you obtain dependencies from reputable sources.
- Scan all dependencies - before using dependencies in your software, scan them to be aware of security or quality issues.
I hope this will be useful as you better understand the risk of software dependencies and begin to address it in your organization.
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- Software dependencies: The silent killer behind the world's biggest attacks
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
- How to exploit SQL Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
