Skip to main content

Understanding Supply-Chain Attacks and OWASP Dependency Check

In today's software development landscape, security is a paramount concern. As developers, we often rely on third-party libraries and frameworks to speed up our work and leverage the functionality that others have built. However, this reliance on external code introduces a significant risk: supply-chain attacks. In this blog post, we will provide an overview of supply-chain attacks, their impact, and how to protect your projects by using OWASP Dependency Check, a powerful tool designed to mitigate these risks,

Understanding Supply-Chain Attacks

A supply-chain attack targets the less secure elements within the supply chain network to compromise the final product. In software development, these attacks often involve injecting malicious code into widely-used libraries or compromising the infrastructure used to distribute software.

There are multiple types of Supply-Chain Attacks:

  • Dependency Confusion: Attackers publish malicious packages with names similar to legitimate internal dependencies, tricking systems into downloading and using the malicious versions.
  • Compromised Repositories: Attackers gain access to public or private repositories to inject malicious code into popular libraries.
  • Typosquatting: Publishing malicious packages with names that are common misspellings of popular libraries.
  • Hijacking Accounts: Compromising the accounts of maintainers of popular libraries to introduce malicious updates.

Luckily there are ways to protect your projects against this attack vector. You can use a dependency check tool that regularly scans your project dependencies for known vulnerabilities (which I talk about more below) but you also can apply any of the following techniques:

  • Lock Dependencies: Use tools like npm's package-lock.json or NuGet package.lock.json to lock dependency versions.
  • Verify Integrity: Use cryptographic hashes to verify the integrity of downloaded dependencies.
  • Monitor and Update Dependencies: Keep dependencies up to date and monitor them for newly discovered vulnerabilities.
  • Adopt a Zero-Trust Approach: Assume that every component could be compromised and design your security architecture accordingly.

Now we now what a Supply-Chain attack is, let’s focus on how we can use OWASP Dependency Check to help

What is OWASP Dependency Check?

OWASP (Open Web Application Security Project) Dependency Check is an open-source tool designed to identify vulnerabilities in third-party libraries used within a project. By scanning project dependencies against a comprehensive database of known vulnerabilities, it helps developers detect and address potential security issues early in the development lifecycle.

Some of the key features are

  • Vulnerability Identification: It checks dependencies for known vulnerabilities listed in the National Vulnerability Database (NVD) and other security advisory databases.
  • Comprehensive Reports: Generates detailed reports highlighting the severity of vulnerabilities, their potential impact, and remediation suggestions.
  • Integration Capabilities: Easily integrates with build tools like Azure DevOps or Github Actions, as well as CI/CD pipelines, ensuring continuous monitoring of dependencies.
  • Cross-Platform Support: Available as a command-line tool, a standalone application, and plugins for various build systems and IDEs.
You can easily integrate it in your Azure DevOps pipeline thanks to the OWASP Dependency Check extension:

After installing the extension, you can add the task to your Build pipeline and configure it further.

Most important settings are:

  • Project Name:   The name of the project being scanned
  • Scan Path: The path to scan. Supports Ant style paths (e.g. 'directory/**/*.jar').
  • Report Format: The output format to write to (XML, HTML, CSV, JSON, JUNIT, SARIF, ALL). Multiple formats can be selected. The default is HTML.
  • CVSS Failure Threshold: Threshold between 0 and 10 that will cause Dependency Check will return the exit code if a vulnerability with a CVSS score equal to or higher was identified.

After the scan has completed, you can find the report as one of your build artifacts:

  

Conclusion

OWASP Dependency Check is a critical tool in the arsenal of any developer concerned with the security of their projects. By understanding and mitigating the risks associated with supply-chain attacks, you can significantly enhance the security posture of your software. Regularly scanning dependencies, keeping libraries up to date, and adopting best practices are essential steps in safeguarding your applications from the growing threat of supply-chain attacks.

Stay vigilant, and secure your code!

Labels:

Popular posts from this blog

DevToys–A swiss army knife for developers

As a developer there are a lot of small tasks you need to do as part of your coding, debugging and testing activities.  DevToys is an offline windows app that tries to help you with these tasks. Instead of using different websites you get a fully offline experience offering help for a large list of tasks. Many tools are available. Here is the current list: Converters JSON <> YAML Timestamp Number Base Cron Parser Encoders / Decoders HTML URL Base64 Text & Image GZip JWT Decoder Formatters JSON SQL XML Generators Hash (MD5, SHA1, SHA256, SHA512) UUID 1 and 4 Lorem Ipsum Checksum Text Escape / Unescape Inspector & Case Converter Regex Tester Text Comparer XML Validator Markdown Preview Graphic Color B
Read more

Help! I accidently enabled HSTS–on localhost

I ran into an issue after accidently enabling HSTS for a website on localhost. This was not an issue for the original website that was running in IIS and had a certificate configured. But when I tried to run an Angular app a little bit later on http://localhost:4200 the browser redirected me immediately to https://localhost . Whoops! That was not what I wanted in this case. To fix it, you need to go the network settings of your browser, there are available at: chrome://net-internals/#hsts edge://net-internals/#hsts brave://net-internals/#hsts Enter ‘localhost’ in the domain textbox under the Delete domain security policies section and hit Delete . That should do the trick…
Read more

Azure DevOps/ GitHub emoji

I’m really bad at remembering emoji’s. So here is cheat sheet with all emoji’s that can be used in tools that support the github emoji markdown markup: All credits go to rcaviers who created this list.
Read more