Nexus Intelligence research engine now automatically detects counterfeit and malicious code injections into open source software supply chains
Fulton, MD – Tuesday, Sept. 24, 2019 –Today, Sonatype, the inventors of software supply chain automation, announced it has developed new early warning capabilities to detect malicious releases of open source components, known as “counterfeit components,” and block their use within modern software factories. The patent-pending technology, part of the next generation of Sonatype’s Nexus Intelligence, monitors millions of open source projects in real-time to identify abnormal development behavior and suspicious patterns as new component versions are released.
Combating Counterfeit Components
Over the past two years, more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories were recorded. Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors, and even deliver targeted patches to alter proprietary code. Open source project code impacted by the malicious injections have been difficult to detect because, on the surface, they look no different than other open source code contributions.
“We’ve been closely monitoring this new battlefront of cyber criminal attacks on software supply chains,” said Brian Fox, CTO of Sonatype. “We were the first to recognize this new macro trend and immediately started research into mechanisms to protect the consumers of these dependencies. By combining a new type of behavioral analysis with machine learning and proprietary data, Nexus Intelligence now recognizes when new releases of an OSS project demonstrate heightened risk attributes. Infused with this new type of intelligence, the Nexus Platform is enabling innovative policy controls to protect organizations from emergent supply chain threats.”
Automate and Scale Dependency Management
In addition to identifying malicious activity based on commit behavior, Sonatype’s expanded Nexus Intelligence capabilities also collect real-time metadata pertaining to the quality of new component version releases. This provides another layer of insight into the integrity of every new version of a component and will enable developers to automate and scale dependency management with greater peace of mind.
New versions of components are released at an overwhelming pace, approximately 20,000 per day, making it impossible for most teams to manually manage dependencies. Sonatype’s next generation Nexus Intelligence will automate this otherwise painful process and help developers update to the best and newest versions of component releases.
“While stopping malicious attacks is critical, what people don’t always recognize as just as important, is the inherent risk associated with each update to a new version of a component. Or, the risk of not updating,” said Fox. ”Whether you’re concerned about malicious attacks or the quality of the release you’re updating to, we’re working on providing a proactive level of risk protection that is unparalleled. Every other open source security vendor can only provide reactive assistance.”
The first iteration of Sonatype’s new Nexus Intelligence capabilities focuses on understanding the commit behaviors and patterns of npm components and creators, with the goal of expanding to additional languages over time.
Additional Resources
About Sonatype
More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source. Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline. Sonatype is privately held with investments from Accel Partners, Goldman Sachs, Hummer Winblad Venture Partners and TPG. Learn more at www.sonatype.com.