Best Practices For Managing Ruby Supply Chain Security Risks
Table of Contents
Software supply chain attacks are on the rise – the attacks increased by more than 600% between 2020 and 2021. On RubyGems, the official package repository for the Ruby programming language, attackers usually take advantage of the implicit trust developers have on the gems deployed on the platform and infect them with malicious code.
And when a developer incorporates a compromised open source library in their project, bad actors use that as a stepping stone to stage attacks to a wider audience downstream, resulting in supply chain attacks.
This blog talks about the best practices for managing supply chain security risks in Ruby applications in order to prevent Ruby supply chain attacks.
Types of Ruby supply chain attacks
Open source software provides a lucrative opportunity for bad actors to penetrate the supply chain of your Ruby applications and instigate Ruby supply chain attacks . Third-party packages are widely used to speed up software delivery times, improve the efficiency of development teams, and produce quality software.
However, in addition to these benefits, open source libraries are vulnerable to attacks and supply chain risks that could affect the performance of your applications.
Let’s address the main types of supply chain attacks associated with using open source libraries in Ruby applications.
1. Gems Typosquatting Attacks
Typosquatting is a common type of attack on the RubyGems ecosystem. It involves pushing misspelled malicious gems to the registry with the intention of duping developers into using them.
Typosquatting relies on mistakes developers make when searching for gems. An attacker can deliberately create a malicious gem and name it like a legitimate gem. And if a developer makes a typing error, they could land on the similarly named gem.
In 2020, security researchers found more than 700 malicious typosquatted packages on the RubyGems platform. One of the harmful packages they discovered was called atlas-client, which typosquatted the legitimate package called atlas_client. Once installed on Windows devices, the fake package ran a script that intercepted cryptocurrency payments.
2. Brandjacking Attacks
Typosquatting is closely related to another type of attack called brandjacking. In a brandjacking attack, a malicious actor takes advantage of the popularity of a package and provides a similarly named malicious package that lures developers into installing it.
For example, an attacker can create a package that is popular in other registries, such as npm or PyPI, and deploy it on RubyGems, where it is missing. And if a developer uses the same name to look for it on RubyGems, they land on the brandjacked package.
3. Malicious Takeover Attacks
Malicious takeover attacks occur when a bad actor uses social engineering tricks to get the account credentials of the project owner and overtake the repo. A wolf in sheep’s clothing contributor may offer to keep a package up to date. And if granted access to the repository, the malicious maintainer could tamper with the package, inject backdoors, or cause other damages.
Alternatively, an attacker could extract the credentials if the project owner has a weak credential management system.
In 2019, attackers compromised the credentials of one of the maintainers of rest-client, a popular library in RubyGems, and used them to distribute malicious code.
4. Primed Repository Attacks
Primed repository attacks occur when a miscreant publishes a package on RubyGems with the intention of building its popularity and using it for staging attacks in the future.
For example, the Mend Supply Chain Defender security team recently discovered a RubyGems library called ddtracer, which was an intricate build-up for future Ruby supply chain attacks.
5. Security Research Smokescreen Attacks
RubyGems has a policy that allows packages to be used for security research. However, the Mend Supply Chain Defender team recently discovered 61 gems that claimed to be used for security research but were intended for malicious purposes.
Best practices to mitigate attacks
Managing the risks of the Ruby supply chain is a challenging task. In today’s software development landscape, it’s not possible to eliminate reliance on open source software.
As a Ruby developer, however, you can take some proactive steps to minimize the open source software risks, prevent Ruby supply chain attacks, and ensure you release quality and performant products.
Let’s delve into some best practices you can follow to improve the supply chain security of your Ruby projects.
1. Eliminate Trust
Applying a Zero Trust philosophy can help you overcome the supply chain security challenges in your Ruby environment. Bad actors usually use trust as an attack vector or an easy entry point to infect packages.
A Zero Trust approach requires that you treat every dependency as untrusted by default. You then need to implement sufficient measures to verify the legitimacy of every gem before incorporating them into your project.
For example, instead of automatically updating your packages, you should assume that every update is insecure and explicitly validate their security before installation.
2. Probe Gems
Before acquiring any gem to include in your Ruby project, you need to ask some questions.
- Is the gem from an authentic source? If its source is questionable or it has a misspelled name, it could make you susceptible to brandjacking or typosquatting attacks. You should avoid those that appear to be squatting on a typo of more popular packages.
- When was the gem released? Is it a new package? Typically, you should wait for at least 30 days for a new package’s safety to be verified by the community’s security researchers before starting to use it.
- Is the gem properly documented with healthy codebase comments? A package that is poorly documented should raise the red flags.
- How well is the gem maintained? When was its last commit? If a gem is under-maintained or abandoned, it could be ripe for a malicious takeover.
- Which open source license is the gem using? You need to review its open source license and ensure you’re comfortable with it.
3. Maintain Visibility
Lack of visibility into your software supply chain could be a recipe for disaster. You need to know what’s happening with your direct and transitive dependencies at all times.
Even after probing your gems and selecting the ones to include in your project, you should not burn your bridges and forget about them. You need to constantly examine your dependencies for newly identified vulnerabilities.
If you discover that a package no longer offers the intended value, you need to remove it. Having stagnant gems could provide attackers with a weak link to harm your application.
4. Implement Multi-Factor Authentication
You need to implement multi-factor authentication across your supply chain. Providing two or more pieces of evidence before accessing your sensitive resources could help you avoid malicious takeover attacks.
If you enable two-factor authentication on RubyGems, you could increase the security of your account and reduce the chances of malicious infiltration that can cause Ruby supply chain attacks.
5. Separate Build Steps
You need to run all build processes in hermetic, isolated, and ephemeral environments. Separating your CI stages across multiple infrastructures could help you avoid releasing products with exploitable vulnerabilities.
Avoiding using the same environment for executing specs, creating containers, pushing updates, or anything else, could greatly increase the security of your software.
6. Be Proactive
Most organizations usually treat supply chain security incidents using reactive measures. With a proactive approach, however, you can neutralize supply chain risks and keep your Ruby project healthy.
For example, you can educate your team on secure dependency management practices. You can also include critical production-related CVE notifications in your security alert mechanism. That’s the best way to get prompt security alerts and ensure you’re ahead of the threat actors.
How Mend Supply Chain Defender helps
Mend Supply Chain Defender is a robust security scanning and risk management tool that helps you manage supply chain risks in your Ruby projects and prevent. It’s the platform you need to safeguard yourself against the risks of using open source third-party dependencies.
Mend Supply Chain Defender scans your gems and assesses their behaviors, assisting you to keep track of the state of your production and avoid poisoning your downstream clients with malicious releases.
It intelligently allows you to block installing malicious packages, understand the risks of new vulnerabilities, ensure open source licensing consistency, and create security policies around dependencies and their versioning.
It’s the tool you need to add comprehensive supply chain risk mitigation measures in your Ruby projects, protect yourself against Ruby supply chain attacks, and deploy with confidence.