October 2023 Security Update: Database Provides Reports on Malicious Open-Source Packages

News of stronger attacks and more advanced defensive tools top this month’s security update.


New Resource Publishes Reports of Malicious Packages

Open SSF has launched its Malicious Packages Repository, the first open-source system for collecting and publishing cross-system malicious package reports. Open SSF developed the project in response to increased attacks that use malicious open-source packages.

Henrik Plate, security researcher at Endor Labs, says, “It’s great to see an open-source project address this problem for a larger variety of ecosystems. This supports all the existing efforts of academic and corporate security researchers to secure the open source ecosystem.”

Action Items:

Plate suggests the advantages of the repository, including:

  • allowing academic researchers to test new approaches to malware detection.
  • Providing an invaluable dataset for AI/ML training
  • Allowing developers to prevent malicious code from entering the CI/CD pipeline
  • Enabling vendors to share information on open-source vulnerabilities
  • Demonstrating that the open-source community can help protect consumers against OSS threats, including Top 10 OSS Risks

DDoS Attacks Reach a Whole New Level

Google and Amazon announced the largest distributed denial of service (DDoS) attacks to date, using the novel HTTP/2 “rapid reset” technique. The attack, which reached a peak in August, surpassed 398 million requests per second.

Google reports it stopped the attacks at the edge of its networks using global load-balancing infrastructure. It also added protections to mitigate the risk in the future.

Amazon also implemented additional mitigations but recommends that its customers who operate HTTP/2 capable web servers contact their vendors to see if they were affected and install patches, if necessary.

Action Items:

Jamie Scott, CISSP, founding product manager for Endor Labs and a volunteer consultant for the Center for Internet Security, suggests:

  • Prepare for the eventuality of DDoS attacks, particularly as you scale operations
  • Pay particular attention to SaaS services, ecommerce sites, and critical online information services
  • Monitor commercial and open-source web proxy and web server solutions for patches and updates as quickly as possible
  • Companies that rely on open-source solutions should asses their risks
  • Use denial of service prevention services

U.S. Government Seeks Input on SBOM Requirements  

The Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) are proposing to amend the Federal Acquisition Regulation (FAR) to implement the software bill of materials (SBOM) requirements to mitigate cyberthreats according to the President’s Executive Order.

These agencies welcome input including:

  • How should SBOMs be collected from contractors?
  • What is the specific information that should be included in SBOMs?
  • What challenges will contractors face when developing SBOMs?
  • What challenges are unique to software resellers?
  • What are the challenges with legacy software?
  • How can agencies determine when an SBOM should be updated?
  • What’s the right balance in the response between the government and the contractor when a vulnerability is discovered?

Action Items:

  • Address written comments to the Regulatory Secretariat Division before December 4, 2023, for them to be considered in the final rule. Click here for contact information.

How to Create Cyber Resilience in the Age of AI

A new white paper from NCC Group points out that AI has the potential to support cybersecurity in several ways, from quickly analyzing log files and network traffic to supporting code development, testing, and threat analysis.

However, there are also negative use cases, such as creating the potential for runaway systemic failures and humans becoming overly dependent on AI for security decision-making,

Action Items:

Download the white paper for insights on strengthening security in the AI age, including:

  • Exploring the benefits of machine learning for anomaly detection
  • Carefully evaluate code generated by large language models (LLMs) to ensure they don’t include security flaws
  • Educate yourself on how malicious actors are using AI, for example, to break a decryption key code with machine learning
  • Learn about threats to AI and ML systems, such as corrupting the integrity of image classification and prompt injection attacks

For more security updates and insights, visit DevPro Journal’s Security resources page.

Mike Monocello

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of DevPro Journal.

Mike Monocello

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of DevPro Journal.