Today I defended my dissertation proposal at the University of Colorado at Colorado Springs, where I am a Ph.D. candidate in the Computer Science Department. Below is a snippet from my abstract.
We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major implications for organizational security postures. The widespread adoption of open source (99% of today’s software utilizes open source(1)), the ease of today’s package managers, and the best practice of implementing continuous delivery for software projects provide an unprecedented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact of which could be implementing backdoors, gathering ingintelligence, delivering malware, denying a service, or destroying hardware, as we witnessed with Stuxnet(2). These types of attacks show no sign of slowing down. According to Sonatype, a leading commercial software security company, these next-generation supply chain attacks have increased 430% in the last year(3).