What is Dependency Confusion and Why Does it Matter in the Federal Sector?
In my years of experience supporting the federal government in different capacities, I have seen the evolution of attack methods match the pace of innovation as our information systems become even more advanced. No matter the state of the technology, it is always that proverbial “cat and mouse” game where the good guys try to stay ahead of the bad guys. As this never-ending battle continues, one of the new kinds of software supply chain attacks caught many organizations and agencies off guard early this year when a researcher revealed that he had successfully infiltrated his own code into applications for a surprising number of well-known companies.
Developers in the federal space are not immune from the attack affecting 35 major technology companies disclosed in February. Although many federal systems take additional steps to protect themselves, the vulnerability overlaps both commercial and government systems; meaning extra steps are necessary to protect government development environments.
What is dependency confusion?
The “attack” by a whitehat security researcher on the popular open source javascript package provider npm exploits an issue in many software namespaces. This allowed him to inject his own code into the javascript ecosystem and appear inside of the target companies’ production applications. While this specific effort involved companies that welcome this kind of open source scanning of their application security, it did not take long for copycat attacks to emerge that had more nefarious intentions.
The npm attack involved a technique called dependency confusion or “namespace confusion” and is in the same territory as a typo-squatting attack, but with some key differences. Typo-squatting attackers publish packages with misspelled names that may get consumed due to human errors when typing in dependency data. Package managers defend against this by routinely cleansing their repositories when they see typo-squatting activity. Often companies (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Jason Nalewak. Read the original post at: https://blog.sonatype.com/what-is-dependency-confusion-and-why-does-it-matter-in-the-federal-sector
