5 Ways CodeHunter Solves the Software Supply Chain Security Problem
Why You Need a Scalable, Automated Defense System
Software supply chain attacks are on the rise. And why wouldn’t they be? A successful attack on any single link in a software supply chain can spell disaster downstream. We’re witnessing the birth of a whole new generation of vulnerabilities as software becomes increasingly complex and interconnected.
In short, once an attack on a software supply chain is underway, you might have better luck putting out a forest fire with a leaky garden hose than mitigating that kind of damage.
The reactive nature of many existing cybersecurity tools presents huge problems when it comes to these supply chains. By the time traditional cybersecurity defenses have reacted to an attack, the effects have already spread down the chain — and sometimes even beyond.
With largely reactive tools at our disposal, dealing with — let alone preventing — successful attacks on software supply chains requires nothing short of a Herculean effort, with versatility and scalability to boot.
Here’s how CodeHunter fits the bill.
1. Threats Don’t Sleep, and Neither Does CodeHunter
Threat actors often approach software supply chain attacks by undermining code signing — essentially faking their way into the software’s source code under the guise of a known (and trusted) code author. But CodeHunter operates in alignment with zero-trust policies. Where a manual check or preset configurations might call for a pass on code provided by a “trusted” source, CodeHunter’s automated system will check for code behaviors that might be suspicious or threatening.
Likewise, updates are part of any software’s routine development and functionality post-release. These updates create vulnerable gateways for malicious code to get in via update hijacking — which is exactly what it sounds like. A threat actor can infiltrate the update (which is increasingly common with vendors) and make an easy entrance into an unsuspecting network. While you don’t have the manpower to painstakingly comb through every update for malicious code, CodeHunter will thoroughly scrutinize the update for suspicious behaviors.
2. CodeHunter Finds Threats in Open-Source Code at Scale
Another vulnerability in software supply chains? Compromised open-source code. In 2018, threat actors uploaded 12 malicious Python libraries to the official Python Package Index (PyPI). There’s no telling how many victims were affected, especially when the code itself functioned the way it was supposed to — just with extra features like allowing hackers to obtain boot persistence or open a reverse shell on remote workstations.
Finding malicious code, in this case, is like finding a grain of salt in a sugar bowl — in a sugar bowl factory. The sheer scope of searching open-source code makes defending against this kind of tactic seem unrealistic. Fortunately, if malicious code did manage to get compiled into your software from such an attack, CodeHunter can be configured to automatically scan entire directories — and even networks, locally or in the cloud — to find it. By operating in the cloud and at scale, CodeHunter’s can find the proverbial grain of salt is unlimited.
3. CodeHunter Catches Things Humans Tend to Miss
Though we do our best to protect our assets, we can’t always get everything right. Even when we err on the side of caution, it’s unrealistic to depend on individuals to catch every malicious behavior slipping through the cracks.
For instance, can you spot the difference between “jellyfish” and “jeIlyfish” right away? Let’s make it easier: how about “jellyfish” and “jeilyfish”? Imagine trying to find the difference, unprompted, amidst an ocean of code.
Typosquatting is a common way for threat actors to infiltrate a software supply chain. In fact, that Python library mentioned above fell victim to it. Malicious actors replaced the open-source “jellyfish” file with “jeilyfish.”
This type of trickery can be replicated anywhere. All a cybercriminal needs to do is insert a filename that looks exactly like a legitimate one, and it can bypass even the sharpest set of eyes — but perhaps not the sharpest malware hunter. This is where CodeHunter’s ability to differentiate suspicious code comes into play.
4. Even Unknown Threats Have No Place to Hide
We don’t always see threats for what they are, especially with all the moving parts in a software supply chain. It’s the perfect setup for a Trojan horse since it relies on passing under the radar disguised as a section of innocent-looking code.
Trojan horses often find a way in by the aforementioned typosquatting, or by any number of other ways. Trojan horses are ubiquitous and aren’t always cataloged in malware databases, so traditional malware-hunting software doesn’t always know to identify it.
CodeHunter scans for suspicious behavior — regardless of the correctly functioning code surrounding it — making for an effective filter that doesn’t rely on signatures of known malware.
5. Mitigate the Potential Damage Done
The longer a software supply chain is compromised, the more damage is done. Proactively identifying a cyberattack before it spreads to the other links in the chain is critical and time-sensitive.
Take the attack on Equifax for example. It all started with a neglected vulnerability in their customer complaint portal, which allowed attackers to access credentials. From there, they pulled data from networks, undetected, for months — because Equifax failed to renew an encryption certificate on an internal security tool. The ordeal wound up costing Equifax $1.4 billion in clean-up costs and an additional $1.38 billion in consumer claims.
Oversights like these can do untold amounts of damage over time. This is why CodeHunter is designed to find threats as soon as they step over your threshold with its automation and quick scanning capabilities.