In compiled/installed software, the concept of “supply chain risk” is at least a thing that companies are aware of. However, when it comes to web software, I have not heard many companies really conceptualize their “supply chain” exposure from the myriad of scripts/dependencies injected via tag managers and other software.
And it’s not just tag managers (GTM/DTM, etc) - React create app command builds a boilerplate with hundreds of packages as dependency.
Has anyone employed any kind of automated scanning to try and catch known malicious code in these?
On the tag manager front, I’m afraid the very premise of letting non-technical people manage code is what makes these a built-in vulnerability. Educating those in control as to risks seems to be the only option, in addition to normal malware scanning you have to do if you run ads.
> I have not heard many companies really conceptualize their “supply chain” exposure from the myriad of scripts/dependencies injected via tag managers and other software.
The article also stated that the malware being a part of an installation utility gave it basically the Windows equivalent of riot access. Why does any normal app need root access?
Supply chain attacks are one of my personal nightmares.
However, on the bright side, cryptominers are continuing to perform a public service by providing non-destructive whole-lifecycle penetration testing on a contingent-fee basis.
The packages served to the vendor could be legit, but packages served to everyone else is compromised. The vendor would never know there was a problem.
[+] [-] sologoub|7 years ago|reply
And it’s not just tag managers (GTM/DTM, etc) - React create app command builds a boilerplate with hundreds of packages as dependency.
Has anyone employed any kind of automated scanning to try and catch known malicious code in these?
On the tag manager front, I’m afraid the very premise of letting non-technical people manage code is what makes these a built-in vulnerability. Educating those in control as to risks seems to be the only option, in addition to normal malware scanning you have to do if you run ads.
[+] [-] patrickmn|7 years ago|reply
I made a thing called "TrackerMap" that allowed people, mostly Fortune 500 web/risk/compliance people, to do just that: https://www.crownpeak.com/products/monitoring-solutions/tag-...
(It has since been acquired, and I have no affiliation.)
[+] [-] mjevans|7 years ago|reply
Horrid 'enterprisy' java applications showed everyone how bad things could get and those same mistakes are being replicated instead of learned from.
[+] [-] mey|7 years ago|reply
https://www.blackducksoftware.com/ https://www.sonatype.com/nexus-firewall
I believe there are others, just pulling from memory.
[+] [-] scarface74|7 years ago|reply
[+] [-] jacques_chester|7 years ago|reply
However, on the bright side, cryptominers are continuing to perform a public service by providing non-destructive whole-lifecycle penetration testing on a contingent-fee basis.
[+] [-] walterbell|7 years ago|reply
[+] [-] mey|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] amelius|7 years ago|reply
The vendor doesn't test their software in its entirety?
[+] [-] steve19|7 years ago|reply
[+] [-] yCloser|7 years ago|reply
[+] [-] scarface74|7 years ago|reply