Malicious Packages Unwrapped – Getting Ahead of Application Infiltration – Jeff Martin – RSA23 #4
Unlike vulnerabilities, which can and do often exist for months or years in application code without being exploited, a malicious package represents an immediate threat to an organization, intentionally designed to do harm. In the war for cybersecurity, attackers are innovating faster than companies can keep up with the threats coming their way. A new approach is needed to stay ahead of the impacts of malicious packages within applications.
Findings from our latest report "Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities" illustrate the growing threat of malicious packages. From 2021 to 2022, the number of malicious packages published to npm and rubygems alone grew 315 percent.
Mend.io technology detected thousands of malicious packages in existing code bases. The top four malicious package risk vectors were exfiltration, developer sabotage, protestware, and spam. Nearly 85 percent of malicious packages discovered in existing applications were capable of exfiltration – causing an unauthorized transmission of information. Threat actors leveraging this type of package can easily collect protected information before the package is discovered and removed.
We’ll share why as long as open source means open, the door will be left open to bad actors, so it’s especially critical to know when things are being brought into your code. Malicious packages represent an immediate threat, unlike vulnerabilities, and can not be taken lightly.
Segment Resources: 360° Malicious Package Protection - https://www.mend.io/malicious-open-source-package-protection/
Please download the Mend Malicious Packages Special Report and be on the lookout for a webinar reviewing the findings on May 30. You can learn more about how to get ahead of malicious packages at https://www.mend.io/malicious-open-source-package-protection/
This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to learn more about them!
Guest
Jeff has spent the last 20 years in Product roles helping both the organizations he worked for and their customers transform and measure their software risk management processes and practices. He especially enjoys cultural and mindset transformations for their ability to create lasting progress.