The last year has seen a massive rise in the number of software supply chain attacks aimed at upstream public repositories, a new report has revealed. According to Sonatype’s annual State of the Software Supply Chain Report, such attacks numbered more than 12,000 – a 650% rise in 2020, which itself revealed a 430% increase on 2019.
‘Dependency co Worryingly, the report revealed a disconnect between reality and perception where security is concerned. While software supply chain exploits have tended in the past to exploit publicly-disclosed open source vulnerabilities left unpatched in the wild, the new breed of upstream attack is more sinister, says Sonatype.
Instead of passively waiting for vulnerability disclosures, many attackers are proactively injecting new vulnerabilities into open-source projects that feed the global supply chain, and then exploiting the vulnerabilities they’ve created. Worryingly, the report revealed a disconnect between reality and perception where security is concerned. While development teams believe they are doing a good job fixing defective components and think they understand where risk resides, the objective data tells a different story, argues Sonatype. In fact, says the report, they make suboptimal decisions 69% of the time when updating third-party dependencies.