Deep Thoughts On Supply Chain Attacks

Supply chain attacks are becoming more prevalent and they pose a tremendous risk to everyone in the chain – developers, end users, customers etc.

If you don’t know what a software supply chain attack is, here’s a brief overview of how it works: instead of attacking a company directly, hackers attack the software dependencies the company uses. For example, in the WordPress world, a lot of developers use COMPOSER to automatically download the latest minor version of a software component as part of a build process.

An attacker can simply hack the dependency and get access to all developers and their customers who use that component.

One of the reasons this type of attack works so well is that developers have been trained NOT to include dependencies in their version control (git) repos.

So every time they build a project, they’ll pull the latest minor version from a remote server. And they’re not checking hashes before using the component they just pulled.

We’ve never really fully bought into the “never put dependencies in your repo” advice. By including them in our repos, we can be more deliberate about when we update components and can make it a point to review the changes before using it and shipping it off to our end customers.

This helps us to somewhat mitigate the risk of supply chain attacks in our WP projects.

It’s just another small step in battling bad actors.

Further Reading on Supply Chain Attacks

What is a supply chain attack? Why to be wary of third-party providers | CSO Online

Supply Chain Attack | Examples & Security Best Practices | Imperva

What is a supply chain attack? Why you should be worried about your vendors | UpGuard

Automatic Notification Of New Articles

Sign up to get automatic notifications of new articles.  This is a different list than our standard list - you only get new articles once a week (usually on Mondays).  No other emails will be sent unless you sign up for our general list as well.

Posted in