Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.
This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.
"Account takeovers are the second most common attack on software supply chains," explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. "The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks."
Software supply chain attacks have been at the forefront of online security concerns since December 2020 when security firm FireEye said its systems had been compromised and it later emerged that Russian intelligence operatives had injected malware into SolarWinds' Orion monitoring tool. Having backdoored some 18,000 companies, SVR hackers were able to conduct attacks on about 100 of them.
With software package registries distributing millions of code libraries on a daily basis – and repeated reports of account compromises as well as proof-of-concept attacks – those overseeing open source package registries have been under pressure to up their security game ..
Support the originator by clicking the read the rest link below.