11 Dependencies

Libraries and frameworks are often used to speed up development. They are often used as dependencies in projects (mostly without much thought).

Supply Chain link

Supply chains typically only have one goal: to deliver a product as fast as possible and just at the right time. In computer science, neither the speed nor the storage space is the limiting factor, but quality and security are.

The following questions come to mind:

• How can we guarantee, that dependencies and their updates come from a trusted source?
• How can we ensure that compiled binaries from pulbic repositories are trustworthy?
• How can we ensure that a binary is compiled from the sources that are available?

Supply Chain Attacks link

Supply chain attacks are attacks that target the supply chain of a product. They are often used to distribute malware.

There are multiple ways of doing so:

• Inject malware into de source code of a dependency
• Malware is injected during the build process
• Malware is injected into the binary while it is being downloaded

Dependency Hijacking link

Dependency hijacking (or dependency confusion) is a type of supply chain attack. It works by overriding a dependency with a malicious version. This works because dependency managers can resolve dependencies from multiple sources. If a dependency is not found in a private repository, or if a public repository contains a newer version, the dependency manager will download the dependency from the public repository.

An example would be a library called mylib version 1.0.0 that is hosted on a private repository. A malicious actor could upload a library called mylib version 1.0.1 to a public repository. If the dependency manager is configured to resolve dependencies from the public repository, it will download the malicious version because it is newer.

Dependency Adoption link

Dependency adoption is a type of supply chain attack. It works by taking over a dependency that is no longer maintained. This would also be a legitimate way to take over a unmaintained software project. The problem is that the new maintainer could inject malware into the dependency and abuse the dependency.

Bug Bounties link

Bug bounties are a way to reward people for finding bugs in software. They are often used to find security vulnerabilities in software.

Big bug bounty programs:

• Google
• Microsoft
• Apple
• and others: https://www.bugcrowd.com/bug-bounty-list/