Skip to main content
February 5, 2014

Cybercriminals Aimed at Supply Chain to Reach Their True “Target”

Target breachSo far the Target breach has caused 15.3 million credit cards to be reissued, costing millions of dollars to credit card companies. The full scope of the breach is not yet fully understood or known, but new details are coming out almost daily. For example, an article in the Wall Street Journal recently disclosed that the cyber-criminals were able to access Target’s systems through a third-party. There has been very little discussion regarding who the vendor is; instead it is Target’s name that is being discussed in relation to one of the largest tech breaches ever. This simply reinforces the notion that the security of your vendors is your responsibility. If they are not following security best practices, like was the case in the Target breach, it is your company and your customers that ultimately suffers. As the world becomes more interconnected and enterprises lean on third-party software to run their business, we will see a rise in these number of breaches. In fact a recent report by the Pentagon stated that “the federal government, its contractors, subcontractors and suppliers of all tiers in the supply chain are under constant attack, targeted by increasingly sophisticated and well-funded adversaries to steal, compromise, alter or destroy sensitive information.” If this is true of the federal government, it is also true of enterprises. The report goes on to say that cyber criminals are targeting vendors “deep in the supply chain to gain a foothold and then ‘swim upstream’ to gain access to sensitive information and intellectual property.” Why are cyber criminals doing this? Because as the most attractive targets harden their security practices, criminals look for easier entry-points. Why go through the trouble of picking the lock when the window is wide open? As a result, organizations need to hold their software supply chain to the same stringent security principles that they hold for applications developed internally. We now live in a world where applications run everything, and very few if any organizations develop all the applications they are using completely in-house. Had Target put stringent security practices for their supply chain that matched the level of rigor they had for their employees this breach may not have happened at all, or at least not have been so severe. Understanding what security practices your vendors are observing is essential to securing the entire application infrastructure.

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.