{"id":53579,"date":"2023-09-08T01:09:00","date_gmt":"2023-09-08T01:09:00","guid":{"rendered":"https:\/\/www.darkreading.com\/edge-articles\/software-supply-chain-strategies-to-parry-dependency-confusion-attacks"},"modified":"2023-09-08T01:09:00","modified_gmt":"2023-09-08T01:09:00","slug":"software-supply-chain-strategies-to-parry-dependency-confusion-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/software-supply-chain-strategies-to-parry-dependency-confusion-attacks\/","title":{"rendered":"Software Supply Chain Strategies to Parry Dependency Confusion Attacks"},"content":{"rendered":"
<\/div>\n

“What’s in a name? That which we call a rose<\/em>
<\/em>By any other name would smell as sweet.”<\/em>
<\/em>\u2014 Romeo and Juliet, Act 2, Scene 2<\/em><\/p>\n

When Shakespeare wrote these words in 1596, he was saying that a name is just a convention. It has no intrinsic meaning. Juliet loves Romeo the person, not for his name.<\/p>\n

But, without knowing it, he was also describing dependency confusion attacks.<\/p>\n

Dependency confusion is when packages you are using in your code are not yours. They have the same name, but it is not your code that is running in production. Same name, but one package smells like a rose and the other … stinks.<\/p>\n

Recent research reports estimate that 41-49% of organizations are at risk for dependency confusion attacks. New research from OX Security shows that when an organization is at risk for a dependency confusion attack, 73% of their assets are vulnerable. The research focused on both midsize and large organizations (1k+, 8k+, 80k+ employees) across a wide range of sectors \u2014 finance, gaming, technology, and media \u2014 and found the risk in every sector across organizations of all sizes. The research also found that almost all applications with more than a billion users are using dependencies that are vulnerable to dependency confusion.<\/p>\n

This article aims to help you understand dependency confusion and how to prevent it.<\/p>\n

Double, Double<\/h2>\n

Dependencies (also called packages) are the building blocks of your software. Typically, these pieces of software, whether developed by entire communities or within a company, perform a common and necessary task.<\/p>\n

Package managers are frequently used to install dependencies and keep them updated. They scan both public and private registries for the name of the package and, all other things being equal, selects the highest version number. Attackers take advantage of this by placing a “dummy” package on the public registry with the same name, but higher version.<\/p>\n

When a package manager comes across two identical packages, one in a public registry and one in a private registry, it causes confusion \u2014 hence the name “dependency confusion.” Since the two packages are identical, the manager will automatically choose to install the one with a higher version: in this case, the attacker’s malicious package.<\/p>\n

This gives hijackers a back door into your software. From this point, they can execute data breaches, perform intellectual property theft, and otherwise compromise the software supply chain of trust. They can also introduce compliance violations that will trigger severe regulatory penalties.<\/p>\n

Toil and Trouble<\/h2>\n

There are various approaches to a dependency confusion attack.<\/p>\n