How To Secure Your Software Supply chain
Date published:
Mar 13, 2022
Hackers look for security gaps that will let them into a company's network, giving them access to sensitive information or enabling them to disrupt a company's business and demand a big pay day. A software supply chain attack targets software vendors and suppliers, and in particular the open-source software libraries their products depend upon, rather than directly attacking the company. Software is a popular attack aim, because code often passes through many third-party hands before reaching the end user. These attacks have the potential to be massive in scope as just one piece of compromised software can introduce malware across an entire supply chain.
All the individuals and organizations that touch a company's software packages make up its software supply chain. And this chain is only as strong as its weakest link. Attackers seek out poorly secured software, unprotected network protocols or poor cybersecurity practices in vendors or software suppliers that enable them to hide malware in the software build and spread that malware using legitimate update processes.
Increasingly software developers will rely on third party components and packages, from open-source libraries, as the building blocks for their software; it makes life easier for the developers and allows for faster innovation. A 2022 report by Synopsys found that 97% of codebases contain some open source code and open source made up an average of 78% of the codebases analyzed.
With so many tools and applications now built using shared open-source code, a single software-based exploit in one open-source component can endanger thousands of organizations around the world. And that's just what happened with the Log4Shell vulnerability, found in December 2021. The flaw allowed access to affected web servers without a password and it was located in a common open-source logging tool used on millions of servers worldwide: Log4j. Hackers jumped at the opportunity to wreak havoc, manipulating and locking down systems until they were patched.
What's worse, bad actors are no longer simply searching for vulnerabilities to exploit. Rather, they're inserting flaws into open-source projects and waiting for them to be distributed; and they may not have to wait long. According to one report, developers were projected to borrow more than 2.2 trillion open-source packages from third party-ecosystems, such as JavaScript and Python, in 2021. Once the infected code has made its way into the global software supply chain, hackers can capitalize until it's discovered.
These attacks require more patience and planning, but they also have the potential to deliver greater rewards. For this reason, it's unsurprising that the 2021 State of the Software Supply Chain Report found that software supply chain attacks were up 650% year-over-year. The impact of a software supply chain attack can be severe as attackers are able to bypass perimeter security measures and gain privileged, persistent access to the victim organization's network.
The damage and disruption can have a major downstream impact, as companies divert resources from strategic projects to respond to the breach. And the downtime required to create and deploy solutions can damage employee productivity or customer experience, depending on which systems are affected.
Software supply chain attacks exploit the trust that companies have in their vendors and software suppliers. Companies can minimize the risks facing their IT systems and business operations by proactively securing their software supply chain. Here are three steps leaders can take to help ensure the integrity of their software and protect their operations from software supply chain attacks:
1. Assess software supply chain risk
All software can contain vulnerabilities that put its data and systems at risk, whether that is software custom coded in-house, software code imported from open-source ecosystems, or vendor-supplied off-the-shelf applications. When software is sourced from a variety of places, with a high likelihood of open-source software dependencies, it's harder for IT teams to identify all sources of risk or spot all potential exploits.
That is why the first step involves making software transparent so it can be evaluated and understood, through the use of software bills of materials (SBOMs) which give visibility into the software codebase and its dependencies. Maintaining accurate SBOMs can help leaders ensure that teams perform due diligence on each new software component. However, companies need to take additional precautions to uncover unseen risks buried in their codebase.
Open source, for instance, makes tracking the provenance of every line of code, identifying dependencies between software components and understanding where those dependencies may introduce risks complicated and time consuming. Which is why automation of the generation and analysis of an SBOM is essential, along with real-time updates.
A software risk assessment can help a company determine open-source locations within its software portfolio, define the provenance of each component, and peel back the onion to find hidden vulnerabilities. For example, this process may help teams find software packages that haven't been updated in months or even years which could open the door to a cyberattack.
2. See how your security measures stack up
While software supply chain risk can be difficult to measure, there are a few ways companies can quantify their security posture. They should begin by comparing their threat detection, response, and remediation practices against published standards.
Companies that are subject to Payment Card Industry (PCI) standards need to make sure they manage their software and systems in compliance with the applicable standards which are regularly updated to address changes in technology and the threat landscape. In March 2022, for example, the PCI Security Standards Council published a new version of its data security standard that has many implications for how software is managed in order protect against exploitation of known vulnerabilities. While the standards that make up the PCI Software Security Framework are intended to ensure the secure design and development of payment software.
The NIST Secure Software Development Framework (SSDF) and the Cyber Assessment Framework are two additional standards that can help companies gauge how closely they are following software security best practices. However, manually tracking alignment with security standards can strain IT resources, slowing the company's progress toward its business goals.
Automated security scorecards, generated by a variety of online tools, streamline this process. The Open Source Security Foundation's Scorecard project, for instance, provides a high-level view of software security. Users evaluate a software package before consuming it, ranking the strength of different security elements from 1 to 10. Users can also see an aggregate security score for the software package in question, which helps them better understand changes that should be made.
3. Address software vulnerabilities
Scorecards gauge a company's risk level, and frameworks outline the best practices companies should adopt. But neither of these tools offer the specific guidance leaders need to find and close security gaps in their software supply chain.
Real-world expertise is needed to understand how a score translates to specific changes that a company should make. For example, a risk rating of 5 out of 10 may be acceptable in a non-critical software environment, but in a critical system remediations may need to be made immediately.
How a company addresses vulnerabilities will also be influenced by the security expertise it has in its ranks. Up-to-date skills are needed to implement security best practices in a company's software engineering and management processes.
The right tools can also help companies get a unified view of potential security issues. That single pane of glass lets leaders prioritize the most critical fixes while also keeping an eye on other vulnerabilities that may exist across software packages. This level of detail also puts companies in the position to respond quickly if new exploits are discovered.
A proactive cybersecurity posture
Partnering with software security experts can help companies get a handle on their software supply chain risk. Because they know what to look for, they can find the vulnerabilities that developers may have missed. By reviewing code and suggesting opportunities to improve the software management process, the right partner can help a company defend against cyberattacks before they disrupt the business.
Read more about how VikingCloud can help your company secure its software supply chain, visit https://www.vikingcloud.com.