Spectral, the developer-first cybersecurity company, today announced the release of Preflight, an open source tool to help developers defend against chain of supply attacks. A supply chain attack occurs when someone exploits the vulnerabilities of third party software which has access to another organization’s system and data, basically infiltrating an organization through a weak link in the supply chain.
The recent Codecov supply-chain breach was a perfect illustration of this type of attack – and its severity. A number of companies were affected, including Monday.com, an online workflow management platform, which works with well known brands like Uber, BBC Studios, Universal, Hulu, L’Oreal, Coca-Cola, and Unilever.
Monday.com disclosed that, due to the Codecov cyber attack, unauthorized users were able to obtain credentials harvested from a copy of their source code, and use them to access sensitive information from hundreds of customer networks.
Preflight offers protection by automatically verifying and safely executing a user’s CI and 3rd party scripts. It can also verify and block binaries or any kind of executable from running, if they contain malware, by querying popular anti-malware services (with no vendor lock, the user can choose the vendor they prefer.) Preflight is also open source, so the user can review the source, build it themselves, and contribute anything found to be missing.
“Hackers have become increasingly sophisticated, with a variety of tools, but their basic strategy is always the same: gain access to the most sensitive and valuable information, like sensitive tokens, API keys, credit card numbers and bank account details, by finding weaknesses,” said Dotan Nahum, CEO and co-founder of Spectral.
“There were actually a lot of lessons learned from this incident. Most importantly, hackers will exploit any weakness they come across, so the only defense is to continuously and automatically protect and monitor supply chain gaps and public blindspots.”
“Despite the efforts of cybersecurity professionals to protect assets, supply chain attacks are only increasing. Unfortunately, supply chain attacks are often neglected, especially when it comes to developer infrastructure and supporting tech stacks,” said co-founder and COO Idan Didi.
“Last year, for example, a group was able to exploit SolarWinds’ Orion software and gain access to government and military clients, as well as US Fortune 500 companies amongst others. The incident emphasized the seriousness of supply chain attacks, and the sad fact that most organizations are simply unprepared to counter these threats.”