Forrester Expert Explores Latest Supply Chain Attack TrendsAttackers Upping Their Game, Injecting Malware Code Directly Into Victims' Systems
Supply chain attacks have evolved from exploiting organizations that haven't patched vulnerabilities in open-source libraries to proactively targeting victims with malicious code.
Next-generation software supply chain attacks either inject poisoned code directly into a victim's system or get a company to download a piece of software that has vulnerable code in it, said Forrester Senior Analyst Janet Worthington. Adversaries are increasingly using typosquatting and dependency confusion to disguise malicious packages in code repositories and trick users into downloading them, she said (see: BlueVoyant CEO on How to Remediate Supply Chain Defense Bugs).
"Attackers are actually finding ways to get malicious code into the victim's system through these open-source libraries," Worthington said. "It behooves everybody to make sure that they're following good software supply chain practices because all you need is a little tiny cog in that big chain to get compromised and then you, as a large organization, will be a target for attack."
In this video interview with Information Security Media Group, Worthington also discusses:
- How the SolarWinds and Log4j hacks reshaped the supply chain security market;
- To what extent cybercriminals mimic the supply chain tactics of nation-state actors;
- How startups and established vendors intend to help address supply chain risk.
Worthington advises security and risk professionals on product security, proactive security design, securing new development methods, security testing in the software delivery life cycle, and collaboration between security, development and product management. Prior to joining Forrester in December 2021, she was a senior product manager at Robin. Before that, she spent seven years at Veracode. As a security program manager, she helped Fortune 100 companies roll out application security programs across their organization, and she has led software quality assurance, release engineering and project teams at a number of startup technology companies.