The recent Polyfill.io supply chain attack, affecting over 100,000 websites, has been a wake-up call for the software development community. This attack embedded malware into JavaScript CDN assets, compromising the integrity and security of countless applications. As we dissect this incident, it’s clear that creating and analyzing Software Bill of Materials (SBOMs) as part of the CI/CD pipeline could have identified the issue early, allowing companies to remediate the risk quickly. In this blog, we’ll explore the Polyfill.io attack, the role of SBOMs, and how tools like the Cryptosoft OWASP Dependency-Track Managed Service can help prevent and address such threats.

The History of Polyfill.io

Polyfill.io has been a widely used service in the web development community. A polyfill is a piece of code (usually written in JavaScript) used to provide modern functionality on older browsers that do not natively support the capability. Launched several years ago, Polyfill.io quickly became a go-to solution for developers seeking to maintain browser compatibility without manually including multiple polyfill scripts.
Polyfill.io’s popularity stems from its simplicity and efficiency. Developers can request only the polyfills they need based on the user’s browser, reducing the overall size of the JavaScript payload and improving performance. This tailored approach has made Polyfill.io an integral part of many web projects, from small websites to large-scale applications. However, this widespread adoption also means that any compromise of Polyfill.io can have a significant impact, as evidenced by the recent supply chain attack.

Understanding the Polyfill.io Supply Chain Attack

Attackers gained access to the Polyfill.io service and injected malicious code into the polyfills, which were distributed to thousands of websites relying on Polyfill.io for compatibility fixes. This malicious code executed unauthorized actions on users’ browsers, leading to data breaches and other security issues.

The attack exploited developers’ trust in a third-party service, highlighting the vulnerability of relying on external code without thorough vetting and monitoring. This software supply chain attack’s widespread impact underscores the need for better mechanisms to track and analyze dependencies in software projects.

The Role of SBOMs in Identifying and Mitigating Supply Chain Attacks

An SBOM is a detailed inventory of all components, libraries, and modules used in a software project. By creating an SBOM, organizations can gain visibility into their software dependencies, which is crucial for identifying and mitigating risks associated with third-party components.

Integrating SBOM creation into the CI/CD pipeline ensures that an up-to-date inventory of software components is maintained at every stage of development. This can be achieved using tools that automatically generate a current SBOM for software during the build process.

Here’s how SBOMs could have helped identify the Polyfill.io issue:

Inventory Management: An SBOM would list Polyfill.io as a dependency within the application, making it easier to track its usage across various projects.

Vulnerability Scanning: By continuously scanning the SBOM at runtime, any new vulnerabilities or changes in the dependencies could be flagged. A sudden vulnerability reported in Polyfill.io could have triggered an alert.

Impact Analysis: In the event of a reported vulnerability, an SBOM allows for a quick assessment of which projects and applications are affected, facilitating a faster response.

Leveraging Cryptosoft’s OWASP Dependency-Track Managed Service for Enhanced Security

Cryptosoft’s service is based on the open-source OWASP Dependency-Track project platform that helps organizations identify and reduce risk in the software supply chain. By uploading SBOMs to the Cryptosoft service, companies can gain deeper insights into their dependencies and quickly identify and remediate issues.

Cryptosoft makes it easy for you to create the CycloneDX format SBOM that the analysis service requires for ingestion within your CI/CD pipeline. You could also use a CycloneDX SBOM you have already created. For more details on how to create the SBOM and automatically deploy it to the SBOM analysis service within your CI/CD Pipeline, refer to A Guide to Using The Cryptosoft SBOM Creation Utility.

Here’s how Cryptosoft could help with this Polyfill use case:

Centralized Vulnerability Management: The Service aggregates vulnerability data from multiple sources (NVD, GitHub Advisory, Google OSV, and SonaType OSS Index), providing a comprehensive view of potential risks. In the case of polyfill.io, this vulnerability was recorded in a number of these databases and would have been raised as a critical issue for inspection when the SBOM was analyzed at build time or runtime.

Impact Analysis: The Service helps identify where vulnerable components are used in particular applications enabling rapid targeted remediation efforts.

Policy Enforcement: Organizations can set policies to automatically block builds or deployments if critical vulnerabilities, such as this polyfill.io example, are detected during SBOM analysis.

Notification and Alerting: Notification and Alerting features provide real-time updates on vulnerabilities, policy violations, and license compliance issues. Integrations with Slack, Microsoft Teams, and email ensure timely alerts to accelerate remediation action taken by developers.

Conclusion

The Polyfill.io supply chain attack highlights the importance of robust mechanisms to track and analyze software dependencies. By integrating SBOM generation into your CI/CD pipeline and leveraging offerings like the Cryptosoft OWASP Dependency-Track Managed Service, organizations can significantly enhance their security posture, quickly identifying and mitigating risks associated with third-party components. As the threat landscape continues to evolve, proactive measures like these are essential to protect our software and the users who rely on it.

For more details of the Cryptosoft service, and to get a free one month trial, please visit us at www.dependencytrack.com.