![]() ![]() Wherever possible, we registered namespace/scope/vendor in public registries to Twilio. ![]() Introduced & enforced naming conventions for all internal packages published and consumed in Twilio What did Twilio do to safeguard its customers' data against dependency confusion attacks?Īfter we identified all the languages that were susceptible to this attack, we started implementing controls to protect Twilio services and add monitors for attack vectors related to dependency confusion. But, with how we had packages set up in other languages at Twilio we were at risk of being vulnerable to this attack vector. After a thorough investigation we came to the conclusion that GO and Java languages were not vulnerable since they used fully-qualified names and group id reference conventions respectively. We then checked if it was possible to have package name collisions between private and public packages and which package managers might be susceptible to pulling the external dependencies instead of the internal one intended to be pulled. We started going through package managers (npm, pip, gomod, maven, etc.) and how they interact with package registries (public vs. Once we had a list of languages widely used in Twilio, we started investigating on a per language basis. To kick things off we got on a call with our Platform team that manages our dependency packages store and started cataloging all the languages used in Twilio and their associated package managers (pro tip: your DevOps team is your best friend). So we started our investigation from scratch. It was a Friday afternoon (exciting security things always happen on a Friday) when we came across the dependency confusion article and we realized we didn’t entirely know how packages were used in Twilio. How did we check to see if Twilio is vulnerable? This article does a great job of explaining dependency confusion and would be a great place to learn more about the attack and how it impacts companies if not addressed. Where can I learn more about this attack? It’s a mechanism to enable code reusability for commonly solved problems and are imported into your applications. What’s a dependency?ĭependencies are code modules packaged for easy consumption in application code that you write. In this section, we’ve gathered some answers about how dependency confusion works, how we’re defending against it at Twilio, and how you can protect your own codebase. Since dependency confusion is a novel attack, you probably have some questions about what it is and what’s currently happening. In this post, we’ll talk about how we at Twilio went about protecting our customers' data from this attack and the various detections and controls we put in place.Ĭommon questions about dependency confusion The attack consisted of uploading malware to open source repositories such as PyPI, NPM, and RubyGems, and naming them such that they would be downloaded and used by the target company’s application. Early February 2021, the Product Security team at Twilio came across an article that spoke about a novel supply chain attack based on dependency package naming conventions. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |