Application security (AppSec) can be a complicated and exhausting endeavor. However, applying the best AppSec practices is critical when trying to secure and defend government agency applications from cyberthreats. In a conversation with Steve Boone, Checkmarx Head of Product and an expert in application security, he discussed three open source solutions that can help agencies mitigate risks and better protect their application code from attack.
“We’re constantly putting pressure on developers to take on more responsibility,” Boone said. “The benefit of open source when developing code is that we don’t have to reinvent the wheel. We can just go grab the pieces, parts, and the tools that we need from the open source community in hopes of speeding our time to market as well as speeding our time to value for whomever our end users might be.”
Here are three open source solutions developers can use to automate AppSec practices that will protect agencies from cyber threats:
1. Chain Alert
Forbes found that 96 percent of the software projects being built today are leveraging open source packages because they save agencies time and money when designing applications that provide essential services to constituents.
“It’s impossible for any one team or organization to monitor every open source package they use because there are so many of them and they’re always changing,” Boone said. “Chain Alert gives agencies the ability to monitor the packages they care about for new updates.”
Chain Alert monitors new versions of individual open source packages being used by your agency. Rather than deploying any update it finds, this tool looks at patterns for how the version update was created and where it originated. If the Chain Alert tool finds anything abnormal from the way the code has been delivered in the past, it alerts your agency’s developer team and the open source community that manages that code. By having this tool deployed, agencies can rapidly respond to and prevent potential account takeovers.
Many developers have automated systems that look for updates on the open source packages they are deploying. However, some threat actors have tried to take advantage of this automated process. These actors create malicious open source packages with the same names as the ones being deployed and give them a higher version number. This can cause dependency confusion, where an agency’s automated systems will try to update their open source packages with these malicious code versions and compromise the applications as a result.
“Dependency confusion can be quite detrimental because many of these automated systems are programmed to automatically go look for new versions of the packages being used and update them to make sure that the developer’s code works with the latest versions of the binaries,” Boone said. “DustiLock is keen on helping developers treat opensource code like they treat proprietary code – by detecting supply-chain attacks in code packages.”
DustiLock searches the agency’s open source packages to find which of them may be susceptible to a dependency confusion attack. Once identified, developers can put preventative measures into place to mitigate an attack.
3. Chain Jacking
Open source projects tend to change hands between different agencies, especially when they’re designed to solve a common problem. The project can get bought, sold, or even abandoned, and then anyone can pick those projects up. This process is known as RepoJacking.
RepoJacking is when threat actors takeover a legitimate project by using phishing tactics to add malicious code or dependencies to it. Often, this goes undetected until after an account takeover, but with Chain Jacking, agencies can protect their application code from these attacks. Chain Jacking is a tool that scans agency’s open source code to find which may be susceptible to a RepoJacking attack.
“As we find more of these malicious code packages, we feed that data back into our machine learning engines and fine tuning them,” Boone said. “The identification of these packages allows us to stay on the attacker’s heels. We’re always chasing the malicious actors and trying to stay one step ahead of where we think they’ll strike next.”
Open source software is essential for esigning and deploying applications that provide better constituent services with speed and ease. However, there is always a certain level of risk and a few challenges associated with any open source code. By deploying the right tools, agencies can secure their code from malicious cyberattacks while still taking advantage of the benefits that open source packages bring.
Learn more about securing your agency’s application code here.