As the software supply chain life cycle progresses from source code to executable artifacts, the build stage stands as a critical juncture. Yet, this transformative phase is also susceptible to a range of threats that can jeopardize the software’s integrity and build security. These threats can infiltrate the build process through various methods, including circumventing the established CI/CD pipeline, modifying code post-source control, compromising the build process itself, or manipulating artifact repositories. In this blog post, we delve into these threats in-depth and examine the most prevalent software supply chain build attacks. This content continues our blog series exploring software supply chain security throughout the SDLC.
Table of Contents
The Build Stage in the Software Developement Life Cycle
The build stage of the software supply chain lifecycle encompasses the process of transforming source code into executable software artifacts. This stage involves compiling, linking, and packaging the source code, as well as generating installation packages and configuration files.
Build security threats are vulnerabilities that could allow an adversary to introduce unauthorized changes to the software during the build process without altering the source code. These threats can be introduced through various methods, such as compromising the build environment or exploiting vulnerabilities in build tools.
Most common Software Supply Chain Threats -Build Attacks
Bypass CI/CD
This refers to the practice of circumventing the established CI/CD (continuous integration and continuous delivery) pipeline to directly build and publish software without undergoing the rigorous testing, verification, and auditing processes that are typically enforced by the official pipeline. This can be done by manually building the software outside of the CI/CD environment or by using tools or scripts that allow for unauthorized modifications to the build process. An example of this type of vector attack was the Jenkins Attack. In 2022, hackers infiltrated the build pipeline of a popular open-source software project called Jenkins. The hackers injected malicious code into a Jenkinsfile, which is a script that defines the build process. The malicious code allowed the hackers to bypass the CI/CD pipeline’s security checks and inject their code into the build process. This code is then executed on the systems of organizations that installed the software.
Modify code after source control
This practice involves making unauthorized changes to source code after it has been committed to a trusted source control system (SCS) and then building the software using this modified code. This can be done by directly modifying the code on a developer’s workstation or by using external tools or scripts to inject malicious code into the build process. An example of this vector attack was the GitLab Attack in 2022. Hackers infiltrated the build pipeline of GitLab. The hackers injected malicious code into the GitLab CI/CD pipeline, which is a tool that automates the build security process. The malicious code allowed the hackers to modify the code after it had been checked into source control. This allowed them to inject their code into the software, which was then executed on the systems of organizations that installed the software.
Compromise build process
This involves manipulating or altering the build process itself, either through direct access to the build environment or by exploiting vulnerabilities in build tools or third-party dependencies. This can be done to introduce malicious code into the build output, tamper with build provenance, or disrupt the build process altogether. The most famous example of this vector attack was the SolarWinds Attack. An attacker had gained unauthorized access to SolarWinds’ build platform, a system used to compile and package SolarWinds Orion software. This script injected malicious code into the compiled SolarWinds Orion software. When users installed the compromised software, the malicious code was executed on their systems, giving the attacker unauthorized access to their systems. The attacker was also able to steal sensitive data from their systems, such as credentials, intellectual property, and customer information.
Compromise artifact repository
This refers to the unauthorized access or manipulation of an artifact repository, where software packages and binaries are stored for distribution to internal or external users. Attackers can exploit this vulnerability to introduce malicious code, tamper with the authenticity of the software, or disrupt the deployment process. An example of this vector attack was The RubyGems in 2022. Hackers infiltrated the artifact repository of RubyGems. The hackers replaced a legitimate artifact with a malicious one, which was then downloaded by thousands of organizations building software with Ruby on Rails. The malicious artifact allowed the hackers to execute arbitrary code on the systems of organizations that installed the software. This could potentially allow them to steal data, install malware, or disrupt operations.
Final Remarks
As organizations continue to embrace software development practices that emphasize automation and continuous delivery, the importance of securing the software build process has never been greater. By implementing robust security measures throughout the build stage, organizations can significantly reduce their risk of falling victim to malicious attacks that can compromise the integrity and security of their software.
The strategies outlined in this blog post and the examples provided serve as a reminder that the build stage is a vulnerable point in the software supply chain. Organizations should take heed of these threats and implement the necessary security measures to protect their software from attack. By doing so, they can ensure the integrity, security, and reliability of their software for their users and customers.
Join Our Journey Toward a Secure Software Ecosystem
Don’t miss out on this opportunity to stay ahead of the curve in avoiding software supply chain threats. Subscribe to our blog today and be the first to receive our latest insights, ensuring that your organization remains resilient and secure amidst evolving threats. Together, we can build a more robust and secure software ecosystem for all.
Watch our Video Demo
