Manifest Confusion Threat Undermines Trust in Entire Npm Registry
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the newest headlines from both the world and our team on all things software security.?
This week: A flaw in npm, the open source repository, dubbed "Manifest Confusion" poses a threat to the security of millions of open source packages hosted there, a former npm engineer claims. Also: CISA and NSA release new guidance on securing CI/CD environments.?
This Week’s Top Story
Npm, an open source software repository used by 17 million developers world-wide, is being scrutinized for being unable to check the metadata of packages, which leaves developers and their respective organizations susceptible to security risks. Former GitHub and npm manager Darcy Clarke wrote a blog post last week that not only details the risk associated with npm’s lack of checking, but also how the platform has failed to take action to address this risk, despite knowing about it since November 2022.?
These risks associated with npm stem from the registry not validating manifest information (metadata) - what the registry claims is in the associated open source package - with the actual contents of the associated "tarball" or software package. Clarke believes developers need to be aware of the following possible risks as a result of this lack of validation:
Clarke submitted a HackerOne report in early March to GitHub that outlined these risks associated with npm, but GitHub later closed his ticket and said that the platform would deal with the issue “internally” on March 21. Clarke further explained his sentiment towards the situation:
“To my knowledge, they (GitHub) have not made any significant headway, nor have they made this issue public – instead, they’ve actually divested their position in npm as a product the last six months and refused to follow-up or provide insight into any remediation work.”
The issue that Clarke came across, also known as Manifest Confusion, demonstrates that developers cannot solely rely on the metadata of a package to determine its risk level. Ax Sharma, Researcher at Sonatype, believes that “using security tooling that forms a deeper analysis,” is the best way to analyze the security of a package, rather than “blindly trusting” metadata for this same analysis. (Infosecurity Magazine)
This Week’s Headlines
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published guidance on how organizations can secure continuous integration and continuous delivery (CI/CD) pipelines against malicious attacks like secrets exposure and malware insertion. The document (PDF) includes recommendations and best practices for hardening CI/CD cloud deployments and improving the defenses of development, security, and operations (DevSecOps). (Security Week)
Researchers have investigated the security posture of the 50 most popular generative AI projects on GitHub. They discovered that the newer and more popular the project is, the less mature the project’s security is. Using the Open Source Security Foundation (OpenSSF) Scorecard to evaluate the large language model (LLM) open-source ecosystem, researchers managed to highlight significant gaps in security and potential risks. To learn more about OpenSSF Scorecard, check out this ConversingLabs episode with Scorecard Maintainer with Naveen Srinivasan . (CSO Online)
领英推荐
Servers used by the GMP project – an open source arithmetic library at the heart of GCC and other programs – slowed to a crawl this month, effectively rendering it a victim of a DDoS (Distributed Denial-of-Service) attack due to the sheer volume of traffic. The source of which is quite surprising: Microsoft’s GitHub. (The Register)
Security and risk teams are already overwhelmed protecting their SaaS (Software-as-a-Service) solutions from common vulnerabilities. This leaves little bandwidth to assess the AI tool threat landscape, unsanctioned AI tools currently in use, and the implications for SaaS security. The Hacker News breaks down some of the key risks of AI to the SaaS system, and how to mitigate them. (The Hacker News)
New rules from the U.S. Federal Drug Administration (FDA) could impact open source software (OSS) more than any government rule to date. The agency is now mandating that all medical device makers must generate and maintain software bills of materials (SBOMs) for the software they produce. The new policy addresses growing concerns that critical software-powered components of healthcare devices are not properly secured, with many running on outdated operating systems, or open source software that can be vulnerable to attacks. The rule goes into effect on Oct. 1, 2023. (Dark Reading)
Resource Round Up
ReversingGlass Video: Shift Up Your Software Supply Chain Chain Security?
In this episode, ReversingLabs Field CISO, Matt Rose explains how development and security teams need to move away from strategies like shift left, which only focus on one part of the software development process. The alternative, Matt argues, is that teams should instead "shift up" to gain greater visibility of all software supply chain risks.
Upcoming Webinar: Deconstructing Docker Desktop App
Join ReversingLabs on 7/13 for the next episode in the Software Package Deconstruction Series, focused on showing how to assess risks in your software supply chain.? This episode will feature one of the most popular container related applications: Docker Desktop.?
Container security involves more than containers, it encompasses the tools used to create and manage them. We will show how to ensure all are part of routine risk assessments.??
?[Register Now ]
ReversingLabs’ host Paul Roberts chats with Robert Martin of MITRE and Cassie Crossley of Schneider Electric about their session at this year’s RSA Conference. They explained how MITRE’s System of Trust can serve as a standard for software supply chain risk. The two also chatted with Paul about the greater issues facing software supply chains today, such as standardization and transparency. [Listen Now ]