How Software Supply Chain Vulnerabilities Lead to Attacks
By Esther Shein
Software supply chain attacks are increasingly gaining attention. Why? Software developers today have grown increasingly reliant on vendors, suppliers, and partners, so the software supply chain has become a key factor in the ability to build new enterprise apps.
This means more partners are touching sensitive data than ever before, and attackers have taken notice. More open-source components are being used and consequently, vulnerabilities are slipping in through the software supply chain.
With more resources and tools at their disposal, cyber attackers have seized the opportunity to leverage vulnerabilities in the supply chain. SolarWinds learned this the hard way, as have countless other tech suppliers.
So it’s no surprise that organizations are reacting, and “increasingly highlighting cyber vulnerability and ransomware as the most important emerging trend to look out for in the short, medium, and long term,” according to a 2023 report on supply chain risks. “With the advances in new technology comes added vulnerabilities, especially with the rising number of connected objects.”
Most disturbing is that it only takes one compromised application or piece of code to affect the entire supply chain. Weaknesses in application source code are typically the targets of an attack, and this can compromise a trusted application or software system.
This has become a major issue because supply chain partners are more interconnected than ever, creating a domino effect when a vulnerability is discovered. For example, Company A is reliant on Supplier B, which has access to its core ERP and other data-sensitive systems. If Supplier B is compromised, Company A will be affected, and so on down the line to other companies that work with Company A and/or Supplier B.
Adding to the challenge is that when open-source software is used, it can be hard for DevSecOps teams to identify vulnerabilities. This makes it critical for organizations to monitor the entire SDLC for points of vulnerability.
Another Tactic in Software Supply Chain Attacks
One problem contributing to supply chain attacks is an increase in dependency confusion, which occurs when attackers create a fake package on an external library that has the same name as one on the internal library. It is picked up by the package manager when the correct one on the internal library is not available.
In the past, similar attacks were triggered by developers misspelling the package name, but threat actors are now utilizing dependency confusion because is more reliable –and more damaging, especially when the attacks are automated.
Strategies to Fight Back
But when you increase the visibility and security of libraries, packages and dependencies, you are less likely to avoid falling victim to dependency confusion. When you protect the names of your system’s libraries and packages, it makes it harder for threat actors to be able to create a fake package with a duplicate name.
Another best practice is to only use reputable open-source libraries and require developers to verify the package source before installing.
Further, continuous monitoring and digital supply chain assurance are now critical steps that cannot be left to chance. This is also a good time to double down on zero trust. Implementing automation into the DevSecOps process can help.
The cloud is likely to remain the vehicle for software delivery for the foreseeable future, so supply chain attacks will continue to be a big issue. If you take away nothing else from this, know that no software or hard company is immune to cyberattacks, but you can go on the offense. Reduce the number and impact of software supply chain attacks by thoroughly evaluating the processes and tools you use for the delivery of software products.
About the author: Esther Shein is a longtime freelance tech and business writer and editor whose work has appeared in several publications, including CIO.com, TechRepublic, VentureBeat, ZDNet, TechTarget, The Boston Globe and Inc. She has also written thought leadership whitepapers, ebooks, case studies and marketing materials.