Software Supply Chain Attacks: From Formjacking to Third Party Code Changes

Software Supply Chain Attacks: From Formjacking to Third Party Code Changes

2020 wasn’t the first year in which software supply chain attacks caused major damage, but it certainly brought them to the general public. Much has been said about the headline-grabbing nation state examples, but there is a wide spectrum of these attacks and some are commoditized. Protecting against the breadth requires run-time analysis and prevention throughout applications that block unexpected application behavior.

Software ecosystems bring risk that scanning won’t find

The vast complexity of software development means vulnerabilities are inevitably introduced in even the most rigorous software development lifecycle (SDLC). This is both why traditional application scanning tools are ubiquitous and why they fail to identify every vulnerability. Scanning (both static and dynamic) identifies tens of thousands of these vulnerabilities from getting pushed to production every year, but there have still been over 150,000 reported Common Vulnerabilities or Exposures (CVEs) in software applications and libraries since 2000. In 2020 alone, approximately 18,000 CVEs were disclosed, with an unknown number of them being zero-days.

With vulnerabilities, and their exploits, so likely to impact all applications you use and develop, you need to proactively assume they will. Just as the Zero Trust principles are based on assuming devices and users are compromised, you must expect third-party software will expose your applications to additional risk, so you can use proactive controls to mitigate their impact. Your application protection must identify run-time application behavior, such as whether third-party code is responsible for unwanted traffic. Only by blocking unexpected behaviors do you ensure prevention of novel attack behavior, such as establishing command and control (C2) from your internal applications to a remote server or the fraudulent syphoning of payment card and personal information.

Imperva helps our customers against the range of supply chain attacks

For more sophisticated supply chain attacks aimed at establishing a foothold and moving laterally across your network, you need a fast and easy way to mitigate risks in your unique software supply chain. To effectively mitigate the compromise, the entire software stack (across monoliths, microservices, and APIs) needs a positive security model that analyzes an application’s behavior. By identifying all expected activity, you easily expose high-risk and suspicious behavior.

When a supply chain attack is targeting your customers’ financial and personal information, it is predominantly JavaScript being compromised. To combat it, your fraud and security teams need control over the behavior of any third party JavaScript code embedded in your web applications. With continuous analysis across millions of transactions, no one can manually triage and approve JavaScript services for execution, so it needs to be automated.

Imperva’s protection is easy to enable, easy to use

Imperva Runtime Application Self Protection (RASP) uses a lightweight security plug-in to clearly analyze activity within the application to block unwanted actions, such as a third-party library suddenly establishing a network connection to an external site for C2. RASP protects applications, runtime, servers, open source dependencies, and third-party libraries. Imperva RASP deploys in minutes by easily snapping into an application without requiring any code changes, and it requires no ongoing signature updates.

Imperva Client-Side Protection prevents online fraud from supply chain attacks like formjacking, digital skimming, and Magecart. It clearly delineates activity from JavaScript across your website and is available as a free trial to any customer of Imperva’s cloud Web Application and API Protection (WAAP) solutions. Turning it on is easy and once it’s protecting your web applications, you will clearly identify JavaScript vulnerabilities and unwanted behavior, such as compromised code stealing and transmitting your customers’ sensitive data.