A map(ture) that is already worth a treasure

In fact, it was just a few days ago that the Python Package Index (PyPI, a repository of Python programming package software that facilitates the work of developers) requested, by the end of 2023, the mandatory activation of two-factor authentication (2FA) for all accounts that manage a project on its platform.
And the decision does indeed seem to stem from the PyPI team’s desire to strengthen the very security of the platform with a long-term commitment project, supplementing new tools to previously adopted measures such as API token support and blocking of compromised credentials.
Using 2FA, should a cyber criminal gain control of a software maintainer’s account and manage to insert malware or a backdoor to a package critical to several software projects, the risks and potential disastrous consequences associated with supply chain attacks would be mitigated.

In the case of PyPI, in fact, depending on the spread and popularity of one or more packages, an attack would be capable of impacting millions of individual users, and although the ultimate responsibility for inspecting the building blocks of its projects ultimately falls on the developers and thus the users of the repository, PyPI is moving proactively and synergistically to minimize these kinds of problems.

For the sake of the record, however, it should also be pointed out that not more than a week ago, following a rather significant malware release that allowed the impersonation of popular packages in order to then spread malicious code through the hijacked accounts, the PyPI team decided to temporarily suspend all new registrations until a truly effective defense solution had been adopted and successfully implemented.

The 2FA, in PyPI’s intentions, will thus help mitigate the problem of account compromise and takeover by also establishing a limit on the number of new accounts a suspended user can create and, consequently, limit the occurrence of reloading malicious packages.
The PyPI team recommends that its users, as an additional and preparatory security measure to 2FA, use an authentication app or hardware key.

“The most important things to do,” states the PyPI team, “to prepare are to enable 2FA for your account as soon as possible, either with a security device (preferred) or with an authentication app, and to switch to using Trusted Publishers (preferred) or API tokens to upload to PyPI,” then pointing out how precisely the introduction of tools such as “Trusted Publishing” or GitHub have helped developers become increasingly familiar with the requirements of 2FA.

Supply chains thus remain, due to their inherent complexity and size in terms of numbers, a rather vulnerable piece of global security, and implementing effective protection can prove more complex than one might think, as vulnerabilities can be inherent, thus upstream, or introduced and ultimately exploited at any point in the chain.
But coming to the rescue is the National Cyber Security Center, introducing the concept of Supply Chain Mapping (SCM), i.e., a mapping of the supply chain to record, store and use the various information gathered from suppliers that make up a company’s supply chain in a timely and effective manner, while also fulfilling ‘due diligence.

Below we provide a small vademecum of first-level priorities, as compiled by the National Cyber Security Center, for those who would like to approach and implement SCM (keeping in mind that information about existing suppliers may already be present in their procurement systems, in which case it will then be necessary to aggregate all relevant information) as a means of achieving greater responsiveness to supply chain-related incidents and strengthening trust in long-term relationships:

– Use existing records, such as procurement systems, to formulate a list of all known suppliers.
Then prioritize suppliers, systems, products and all those services that are critical to your organization.
– Prioritize information that would be useful to acquire about your supply chain.

– Establish secure information storage practices and manage access to them.

– Assess the need for any collection of information pertaining to its suppliers’ subcontractors and delimit its boundaries and scope.

– Consider using additional services that can provide an assessment of providers and are able to detail additional information about their cyber risk profile.

– Establish in advance, for new suppliers, what are the minimum requirements to be met as part of their procurement process.
– Clearly communicate the information required of them, for existing suppliers, justifying the need for it, and enter the information gathered from existing suppliers into a centralized repository.

– Update the standard contract clauses to ensure that the required information is provided as standard when starting to work with a supplier.

– Identify those responsible for the information collected, possibly including procurement, business managers, information security and operational security teams.
Then make them aware of the information repository and allow access to those responsible as identified

– Consider drafting a playbook (manual) to respond to incidents that require coordination of efforts from both the extended supply chain and third parties such as law enforcement, regulators, and even customers.

– Document the steps that will need to be changed within its procurement process as a result of the results provided by the supply chain mapping.
For example, it may be necessary to consider excluding those suppliers who cannot satisfactorily demonstrate that they can meet the required minimum cybersecurity requirements.