New research from OX Security has found that almost all applications with more than 1B users are currently using dependencies which are vulnerable to dependency confusion attacks. Moreover, for organizations at risk, 73% of their assets are exposed to dependency confusion attacks, shedding new light on the devastating impact this type of attack can have on an organization.
The research, which looked at over 54,000 repositories, focused on both midsize and large organizations (1k+, 8k+, 80k+ employees) across a wide range of sectors, including finance, gaming, technology, and media. Risk of dependency confusion attacks was found across all sectors and organization sizes examined.
CIO INFLUENCE: CIO Influence Interview with Pete Lilley, Vice President and GM at Instaclustr
A dependency confusion attack is when malicious actors upload a software package with the same name as a legitimate one to a public package repository in order to trick developers into unknowingly using a malicious version of the software. This can lead to severe consequences, as developers unwittingly introduce vulnerable or malicious code into their projects, compromising their security and integrity.
Dependency confusion attacks are highly dangerous because they often bypass traditional security measures, making them difficult to detect and defend against. They can potentially affect a large number of users and organizations reliant on the compromised dependencies, with one recent major example taking place in December 2022, when the PyTorch open source software supply chain was compromised.
CIO INFLUENCE: JFrog Software Supply Chain Platform Delivers 393% ROI According to Total Economic Impact Study
Software companies are often particularly targeted for dependency confusion attacks because while the company thinks a package name is safe in a private registry, hijackers can still find the package name on package hosting services, public script files, and leaked internal paths.
“These findings of our latest research are deeply disturbing, as these types of attacks not only compromise the integrity and security of organizational assets, but they potentially impact those organizations’ employees and users globally. Moreover, the fact that when an organization is at risk, a staggering 73% of their assets are vulnerable, really sheds light on just how exposed many organizations regardless of size or industry really are,” said OX Security CEO and Co-Founder Neatsun Ziv.
CIO INFLUENCE: World Password Day: Password advice for CIOs
[To share your insights with us, please write to sghosh@martechseries.com]