Respond to Malware Incidents Faster with Advisory Impact Analysis in Semgrep Supply Chain

The last few months saw a sharp rise in the frequency and severity of supply chain security incidents, where various malicious package versions made their way from trusted package managers downstream to countless organizations and their projects. During such critical severity events, security teams go into all-hands-on-deck mode, fighting fires trying to remove the malicious packages as quickly as possible, as the CISO demands answers and assurances. In about as long as it takes to say Sha1-Hulud, the nature of their work upends from risk mitigation and security hygiene to incident response.

Attack Surface has Also Shifted Left

SCA tools are used to identify all the open source and third party packages your software is using. They were designed to be preventative in nature, allowing AppSec practitioners to manage dependencies, ensure safe upgrades, and generally maintain a low-risk environment.

So when a malicious package is introduced through npm, for example, it seems logical that SCA would help you determine if your environment has imported that affected package. 

But as countless organizations have had to painfully learn over the last few months, it turns out that answering this question is not trivial. Identifying all potentially impacted areas in your environment during a critical severity incident has meant generating a SBOM to identify which package versions you’re using, and then auditing those versions to determine whether your projects are affected, before even beginning the remediation process. Compound this with the added complexity that multiple packages —and many versions of those packages—could all be affected: which is exactly what many of this year’s incidents proved. All of this creates havoc in a security organization, and costs precious time when response speed is essential to mitigating an attack’s effects.

From Reactive to Responsive

Semrep Supply Chain’s advisory impact analysis helps AppSec quickly know if, and how, they’re affected by the latest supply chain attack. When Semgrep issues an advisory in response to a new CVE, e.g. during the latest malware incident, advisory impact analysis organizes scan results in a way that allows you to quickly search your environment for relevant findings. Using Semgrep Pro engine, it also pinpoints where exactly in your environment those findings lie. Whether you have a single, or multiple versions of an affected package, you can easily see down to the branch level any project where the new CVE may be exploited.

Instead of having to comb through potentially vast numbers of repos, you can now simply search by <advisory> or <CVE>, and Semgrep will identify all the projects where you are affected, or conversely, make it clear right away if you are not. So the next time there’s a supply chain security incident in the wild, you don’t have to cobble together so many highly manual and time consuming workflows in an emergency situation.

Another Step Toward Securing Supply Chains

While the community anxiously prepares for the next major supply chain security incident— expected as these types of events are during the holidays— we at Semgrep continue to evolve our product to address the shifting realities of the security landscape. We’d like to thank our customers for working with us to help us identify emerging pain points and enabling us to develop new functionality to meet those needs. With the introduction of malicious dependency detection earlier this month, and now, advisory impact analysis, responding to the next incident can be a lot more automated and a lot less painful. Happy holidays!