You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: documents/3-Commit-CI/3-1-Static-analysis/3-1-2-Software-Composition-Analysis.md
+20-1Lines changed: 20 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
### Software Component/Composition Analysis (SCA)
2
2
3
-
Software Component Analysis is the process of automating application security for managing third-party and opensource components of codebase. SCA will find any potential vulnerable components in our codebase to prevent highsecurity risks like **Supply-Chain Attack**, not only that but also provide licensing about each components. By doing this, it helps organization to reduce security risks in their codebase libraries and needed to be early in modern software development life cycle.
3
+
Software Component Analysis is the process of automating application security for managing third-party and open-source components of the codebase. SCA will find any potentially vulnerable components in our codebase to prevent high-security risks like **Supply-Chain Attack**, not only that but also provide licensing for each component. By doing this, it helps organizations to reduce security risks in their codebase libraries and needs to be early in the modern software development life cycle.
4
4
5
5
> For more information about the Component Analysis please visit [the OWASP page](https://owasp.org/www-community/Component_Analysis)
6
6
@@ -10,6 +10,25 @@ We should put the Component Analysis earlier, before security testing like SAST,
10
10
TBD
11
11
12
12
## Supply-Chain Attacks
13
+
Supply chain attacks involve exploiting vulnerabilities in the interconnected network of suppliers, vendors, and software components to infiltrate and compromise target systems, often leading to widespread security breaches and data theft. While SCA tools may not directly detect all types of supply chain attacks, they can help mitigate certain risks associated with them. Here's how different types of supply chain attacks can be addressed using SCA:
14
+
15
+
1.**Dependency Confusion**: Attackers upload malicious packages or libraries to public or private repositories with names similar to legitimate ones. Developers unknowingly install these malicious dependencies, assuming they are safe, leading to security compromises. Example: [PyTorch discloses malicious dependency chain compromise over holidays](https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/#google_vignette).
16
+
SCA tools can detect instances where developers are using dependencies with known vulnerabilities or dependencies that are not declared in the project's configuration files. While they may not directly detect malicious packages, they can alert developers to the presence of unexpected or potentially risky dependencies.
17
+
18
+
2.**Compromised Build Environments**: Hackers infiltrate build environments or CI/CD pipelines to tamper with the build process, injecting malicious code or altering legitimate code during compilation or packaging stages. Read more here: [10 real-world stories of how we’ve compromised CI/CD pipelines](https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines/).
19
+
SCA tools can analyze the composition of software packages and components used in the build process. By scanning these components for known vulnerabilities or unexpected changes, they can help identify if any malicious code has been injected during the build process.
20
+
21
+
4.**Software Supply Chain Hijacking**: Attackers compromise the distribution channels of software packages or updates, such as software update servers, download mirrors, or package managers. They replace legitimate software with malicious versions, which are then unwittingly installed by users or organizations. [SolarWinds hack explained](https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know).
22
+
SCA tools can monitor for changes in the integrity of software packages and dependencies. If a legitimate package is replaced with a malicious version, SCA tools can detect the discrepancy and alert developers or security teams.
23
+
24
+
6.**Counterfeit Components**: Malicious actors create counterfeit hardware or software components that resemble legitimate ones. These counterfeit components may contain hidden vulnerabilities or backdoors, compromising the security of the systems they are integrated into. Stuxnet Worm will fall into this category, [Read more about Stuxnet](https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)
25
+
While SCA tools may not directly detect counterfeit components, they can help ensure that only trusted and verified components are used in the software development process. By providing visibility into the origin and security status of components, SCA tools can help mitigate the risk of incorporating counterfeit components into software applications.
26
+
27
+
7.**Third-Party Compromise**: Hackers compromise third-party vendors or suppliers involved in the software supply chain, gaining access to sensitive information or systems that they can leverage to launch supply chain attacks on their customers or partners.
28
+
SCA tools can assess the security posture of third-party vendors or suppliers by analyzing the security of the components they provide. By monitoring for vulnerabilities or unexpected changes in third-party components.
29
+
SCA tools can help identify if a third-party vendor has been compromised and alert organizations to the potential risks. [Exploitation of Accellion File Transfer Appliance](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a)
0 commit comments