For cybercriminals, software dependencies are the gift that keeps on giving.
We know that data breaches can be costly for companies in both financial and reputational terms, but did you know that many of these breaches are due to developers introducing risks into their own code?
There’s plenty of guidance about best practice in data security for businesses and organisations, but much of this tends to focus on anti-malware, user privileges, and system monitoring.
The issue with dependencies is that when they expose businesses to greater risk, this is all happening at a more technical level. The impact can be significant and extremely damaging, but can be all but invisible to senior management.
Effective dependency management is an essential component in protecting yourself from data breaches.
Dependencies and data breaches
In 2023 there were over 8.2 billion breached records around the world.
Closer to home, the UK is experiencing a fraud epidemic according to a report from The Royal United Services Institute (RUSI). Much of this fraud is opportunistic and, in many cases, the applications that organisations use are enabling it.
OWASP (the Open Web Application Security Project) publishes a regular top 10 index of web app security vulnerabilities. These are the vulnerabilities hackers exploit to breach organisations, and many of them are introduced through software dependencies.
Using components with known vulnerabilities was the root cause of the infamous Panama Papers breach in 2016. This involved 11.5 million leaked documents.
In the same year, Canadian company VerticalScope suffered a breach where over 45 million passwords were leaked from 1,000 sites. The root cause was the same.
Another high-profile breach involved the American credit bureau Equifax in 2017. Here the breach exposed the data of 147 million people. The company had to agree on a settlement of $425 million with the Federal Trade Commission to help those affected. Here, the main cause of the breach was through third-party software for which the company had not updated a crucial security patch.
The CloudBleed bug of 2017 caused 1.2 million leaks of memory from web servers, from the introduction of a vulnerable code. And the Marriott data breach of 2018 exposed around 339 million global guest records. The ICO fined the hotel company £99 million.
In April 2021, security researchers at SonarSource identified a vulnerability in the source code of Composer, a PHP tool used to manage and install software dependencies. The vulnerability allowed the researchers to execute commands in Packagist, an online service which Composer uses to determine the correct supply chain for package downloads. The vulnerability was identified and patched without being exploited (to Packagist’s knowledge), but the fact that this was a major tool used to manage dependencies highlights the inherent risks in software supply chains.
What happens when developers introduce risk?
Software development is a high-pressure business, and to keep up with demand it’s common for developers to reuse software written by other people.
This reuse takes the form of software dependencies — additional code that the programmer includes to help avoid repeating key processes such as designing, writing, testing and debugging specific units of code.
These units are known as packages, libraries, or modules.
The practice of taking on these external dependencies is well-established. But it has a built-in weakness. By bringing in this external code the developer has no guarantee of its history, the work that may or may not have gone into it, or the extent to which it has been tested.
In many areas of business, such as food and fashion, the concept of provenance plays a hugely significant part. Where a product or material comes from is important in determining its intrinsic value or reliability.
Provenance is what’s missing in the use of dependencies. The software supply chain can become quite obscure when developers build apps.
A developer may link an app to a specific version of underlying software they’ve used, but because this is hidden it fails to get updated in the same way the app itself does. Any vulnerabilities remain unaddressed, leaving potential gaps for cybercriminals to exploit.
How should you manage dependencies?
The government publishes guidance for managing software dependencies. It emphasises the importance of keeping code up to date, your system secure, and making sure your software is working the way you expect it to.
Essentially, this is a management task, and it can be an extensive one. You should track dependencies, and their different versions, and be systematic about ensuring you protect them from vulnerabilities.
The main ways for applying this dependency management are through code, firewall apps, and containerisation.
But you can also take advantage of specialist tools. At Isotoma, we’ve developed a dedicated security and compliance product that works to control the risk of data breaches.
This takes the pain out of dependency management, while giving you peace of mind about what’s going on behind the scenes with your software.
Want to find out more? Contact the Isotoma team today.