Software Supply Chain Security: A Guide
The software supply chain has received a lot of scrutiny, because most software today is not custom written but is a combination of open source software artifacts. These artifacts are susceptible to vulnerabilities, and when third-party software is used, developers have less control over the source code and any changes made to it.
Securing the software supply chain is critical because software is an integral part of the ability to execute daily business functions. Projects use an average of 203 open source dependencies per repository.
Of particular concern is that almost 32% of applications have flaws at the first scan, and nearly 70% contain at least one security flaw by the time they have been in production for five years. With more organizations relying on open source to build their applications, securing the software supply chain is paramount.
What is Software Supply Chain Security?
A software supply chain encompasses all the components used to deliver an application from the start of the continuous integration (CI)/continuous delivery (CD) pipeline to the end when it is ready for deployment. In addition to third-party software, this includes the code, who wrote it, the repository, binaries, and package managers, and when it was reviewed for security issues, known vulnerabilities, and licensing information.
Software supply chain security focuses on detecting and mitigating the risk associated with digital artifacts used in software development via third parties, including open source libraries, commercial software vendors, and outsourcers. It requires a strategy that encompasses risk management and cybersecurity practices to identify, analyze, and mitigate supply chain risks during the process of creating and deploying an app.
Why Is Software Supply Chain Security Important?
Software supply chains have grown increasingly complex, so mitigating risks requires a strategy that is multifaceted and functionally coordinated.
Any risks to the integrity of applications due to data breaches, ransomware attacks, and malicious activities can have damaging operational, financial, and brand consequences. Even a security incident that is localized to a single vendor or third-party supplier can wreak significant havoc.
The cost of a data breach reached an all-time high of $4.35 million in 2022, nearly 13% higher than the previous two years. It’s also important to note that breaches have lingering effects long after they occur. Every organization involved in an affected supply chain may experience direct or indirect financial repercussions. These can include the cost of incident remediation and forensic investigations as well as business disruptions, lost revenue, and reputation damage.
Organizations can also face compliance violations that may result in fines and audits when a supply chain attack occurs.
The threat to the software supply chain has become so significant that the Biden administration issued an executive order in 2021 calling for greater security measures and guidance to ensure that federal agencies use software built with a series of cybersecurity measures.
Further, cybersecurity threats are a global issue and have caught the attention of the World Economic Forum, which cites “cyber insecurity” as one of the top 10 global risks in the next two years.
Notable Attacks On Software Supply Chains
One of the most predominant software supply chain breaches was SolarWinds in 2020, when malicious code was launched from its IT monitoring and management platform. This had far-reaching effects for both SolarWinds and its customers.
Software library Log4j was a widely exploitable open source vulnerability that enabled remote code execution. It has left countless organizations susceptible to data breaches and attacks.
The network monitoring system of software company Kaseya was breached in 2021 by a high-profile ransomware group called ReVil, which injected malware into a regular update of the company’s virtual system administrator. The Managed Security Provider (MSP)reported that up to 1,500 organizations were potentially impacted by the ransomware.
Target and Home Depot also experienced major data breaches within six months of each other as a result of third-party relationships.
For more notable supply chain attacks, read our infographic 6 Examples of Software Supply Chain Attacks.
The common denominators in these attacks: open source vulnerabilities, code integrity issues, the exploitation of the software supply chain process, and trust in suppliers to distribute malware or backdoors.
How the Regulatory Landscape is Addressing Software Supply Chain Risk
Since the Biden administration’s executive order was issued, government agencies such as the National Institute of Standards and Technology (NIST) and the Office of Budget and Management (OMB) have issued a series of best practices and directives as guidance to accelerate software supply chain security.
Notably, OMB disseminated two memos so that NIST’s Secure Software Development Framework (SSDF) would be adopted. The first requires U.S. government agencies to use the framework as the authoritative reference when it comes to vendors supplying software.
The second memo relates to enhancing the security of the software supply chain through secure software development practices. In the memo, the OMB details the steps that U.S. government vendors must take to implement Executive Order guidelines, such as attesting that they conform with secure software development practices.
NIST and the Cybersecurity and Infrastructure Security Agency also issued guidelines on defending against software supply chain attacks. Hijacking updates, undermining code signing, and compromising open source code are three of the most common techniques, according to the report.
“Organizations are uniquely vulnerable to software supply chain attacks for two reasons,’’ the report states. “First, many third-party software products require privileged access, and second, many third-party software products require frequent communication between a vendor’s network and the vendor’s software product located on customer networks.”
Organizations should start adhering to NIST’s SSDF practices even though they are not yet finalized, given compliance pressures amid the increasingly dangerous threat landscape.
Also worth noting, the Biden administration’s recently released National Cybersecurity Strategy, which goes beyond the executive order it issued in 2021, which defined security measures any organization doing business with the federal government must follow. The recommendations made in this new order will also have implications for software supply chain security.
Strategies and Tools To Address Software Supply Chain Risks
The responsibility of developers in managing third-party dependencies is staggering — the average Java application contains 148 dependencies (20 more than in 2021), and the average Java project updates 10 times a year. This means developers are required to track intelligence on nearly 1,500 dependency changes per year per application they work on.
A lack of visibility into dependencies will remain problematic unless organizations change their software practices. Modern applications require securing the software supply chain.
A software bill of materials (SBOM), which lists all the components that make up an application and the relationship between them, is a logical and helpful way to monitor and keep up with the changes in the software pipeline. An SBOM is even more valuable if it is dynamic.
It also behooves organizations to vet their software vendors, and SBOMs are helpful here as well because they can provide visibility into potential vulnerabilities.
Automated software composition analysis (SCA) tools are useful for identifying and providing guidance on remediation for known vulnerabilities in open source code.
Organizations should also adopt the practice of least privilege access to resources within the supply chain, such as tools and source code repositories.
Don't Wait. Address Software Supply Chain Risk Today
Supply chain attacks are increasing exponentially — an average of 742% yearly since 2019. This type of attack is attractive to threat actors because it offers them economies of scale; targeting a single organization gives them a foot in the door and the ability to compromise potentially hundreds or even thousands of additional organizations without much effort. As long as an operation remains undetected, a software supply chain can continue to yield benefits.
Bear in mind that attacks on the software supply chain can be far more damaging than the attacks of years ago because of their impact — a single breach can affect hundreds of targets, and as Log4j and others have demonstrated, it can be difficult to detect issues for a long time. This requires software security vigilance in the software supply chain.