Most software today isn’t developed entirely from scratch. Instead, developers rely on a range of third-party resources to create their applications. By using pre-built libraries, developers don’t need to reinvent the wheel. They can use what already exists and spend time on proprietary code, helping to differentiate their software, finish projects quicker, reduce costs, and stay competitive. These third-party libraries make up part of the software supply chain. While their inclusion is beneficial, the software supply chain introduces risk and needs to be secured.
Significant breaches in recent times suggest that software supply chain attacks are on the rise. Reading about the Log4j vulnerability or the SolarWinds supply chain attack reminds us that software components can be security threats. Since these types of attacks are relatively new, most organizations often struggle to determine how their applications might be affected and how they should address the threat.
Effective software supply chain security ensures that any components of, or influences on, your application code are secure and trustworthy. In this article, we’ll look closer at what software supply chain security is, why it’s important, and some of the best practices you can adopt to secure your organization against supply chain attacks.
What Makes Up Your Software Supply Chain?
The software supply chain refers to all components directly involved in developing an application. These are components that your team may or may not develop or manufacture in-house, and they include:
- Hardware and infrastructure
- Operating systems
- Compilers and editors
- Drivers and dependencies
- Open-source scripts and packaged software
- Repository engines, testing suites, and CI/CD tools
- Cloud services and data centers.
The supply chain also includes people, such as outsourced companies, consultants, and contractors.
The primary focus of software supply chain security is to combine risk management and cybersecurity principles. Doing so allows you to detect, mitigate, and minimize the risks associated with these third-party components in your application.
Where Might the Threats Come From?
Supply chain threats exist because of the trust that enterprises place in the supply chain. For example, no one expects Microsoft to release a security patch that exposes their environment to attackers. Attackers take advantage of this trust, knowing most developers won’t go to great lengths to cross-check the software they’re using.
Let’s consider a few examples of how your organization could be vulnerable to supply chain attacks.
By compromising widely distributed software updates, attackers can gain access to a wide range of systems. For example, many companies release new security patches every month, and these patches are downloaded by thousands (or even millions) of developers for deployment to their projects and CI/CD pipelines. If an attacker can manipulate an update, they can easily gain access to all the systems it was deployed to.
Commit permissions to open-source projects are usually given to trusted contributors. If an attacker compromises a trusted account, they can insert malicious code into the repository. Developers unknowingly use such code, thereby unintentionally opening access to their environment.
Many companies now employ contractors or freelancers for application development. Without proper background checks, malicious external parties (like criminal syndicates or state-sponsored players) can steal data or IP for financial gain or industrial espionage.
These are only a handful of examples, but other cases include stolen certificates, compromised software development tools, or devices with pre-installed malware.
Why Is Software Supply Chain Security Important?
Software supply chain security has become so critical that in May 2021, the US President signed an Executive Order to address the issue. Two pivotal events preceding that Executive Order involved SolarWinds and Apple/Quanta.
For SolarWinds, hackers deployed malicious code into an update for the “Orion” system, which had over 33,000 users. The attack was sophisticated and remained undetected for almost 14 months. Unaware of the breach, SolarWinds released the software updates to their customers, who installed them. This gave hackers access not just to systems belonging to SolarWinds, but also to the systems of everyone who installed the update.
In the Apple/Quanta attack, systems belonging to Quanta Computer, a key Taiwan-based supplier of Apple products, were breached in April 2021. The ransomware group REvil claimed to have stolen the blueprints for the latest Macbook and demanded $50 million for the decryption key. When Quanta refused to pay, REvil began posting the stolen blueprints on the dark web. News of the breach came at an inconvenient time for Apple, as REvil announced it during a huge launch event for the new iPads and Macbooks.
Both of these attacks were related to the software supply chain—one involving a software patch, another involving a hardware supplier. These types of attacks don’t only target high-profile companies. They can happen to companies of any size.
Software Supply Chain Security Best Practices
To ensure software supply chain security, you need to have a clear view of and control over every part of your application. While technical controls are essential, it’s also crucial that you develop a concrete governance, risk, and compliance framework for your business processes, policies, and procedures.
Assess your supply chain
For your application’s dependencies to have complete visibility, you need to ask questions that include:
- What is involved in each step of the development lifecycle?
- Are there contractors who have code access?
- Who installs software updates and how?
The business should audit all its applications and the access rights granted to internal and external parties. Ideally, this should be well documented and automated, so when a breach occurs, you can quickly find out who had access.
Secure privileged access management
Once they gain access to a system, attackers often try to move laterally through a network to find a privileged account. If successful, they will use that account to gain access to sensitive data or take control of other systems.
For this reason, your security team should closely monitor privileged accounts for unusual activity. It should monitor password changes, login activity, and permission changes, and it should respond accordingly. For example, suppose a Domain Admin account has had multiple wrong password attempts. In that case, the security team should investigate and lock the account until they are sure it was a legitimate case of unsuccessful attempts.
Administrators should apply the principle of least privilege across all network accounts. Elevated access should only be granted when necessary.
System administrators should use automation and configuration management tools to control and monitor account administration. This leaves no room for human intervention and possible errors.
Use trusted partners only
It’s important to assess the credibility, service history, past projects, and market reputation of any prospective partner. For individuals, always run strict background checks that identify things like criminal records or bankruptcy filings.
Perform similar due diligence for vendors and service providers. In fact, some regulatory requirements dictate that your vendors must have certifications like ISO 27001.
Monitor third parties
Continuously monitoring third parties will help mitigate the impact of vendor data breaches or attacks. This helps to address issues like credentials exposed on the dark web or any history of past data breaches. You can ask for and inspect any supplier’s security documentation to ensure their policies and procedures align with industry best practices and your security standards.
Find and fix vulnerabilities
A major culprit in supply chain attacks is unpatched software. Once a vulnerability bulletin is released to the public, attackers search for unpatched systems to exploit. Therefore, your IT team must leverage a software composition analysis testing tool to uncover vulnerabilities in third-party code and propose fixes like patches and updates. In fact, Veracode’s recent State of Software Security: Open Source Edition report found that 92 percent of library flaws can be fixed with an update.
Veracode’s Software Composition Analysis tool not only uncovers vulnerabilities in third-party libraries directly added to your code, but it also uncovers vulnerabilities that those libraries call on which could be several layers deep.
The Veracode vulnerability database doesn't just pull from the National Vulnerability Database (NVD), it also includes many vulnerabilities that were never reported – or reported late – to NVD. The powerful, cloud-native solution uses data mining, natural language processing, and machine learning to identify security vulnerabilities from commit messages and bug reports.
Create an incident response plan
Assume that your organization will be attacked and plan accordingly.
An incident response plan defines what needs to be done when an attack happens, who should do what, and in what order. The RACI matrix is useful for defining who is responsible for taking action, who is accountable, who should be consulted, and who should only be informed during such an incident.
Another area to consider is the communication plan between different stakeholders of the RACI, the communication channels to use, and the escalation tree.
Your disaster recovery plan should be solid and tested against multiple scenarios. A DR plan can involve traditional backups or failover sites. A tested recovery mechanism can protect against compromised systems and ransomware attacks.
Organizations must live with the very real threat of cyberattacks. This is the new reality. Despite their relative infrequency, software supply chain attacks can create significant damage.
The best protection against this type of attack starts with knowing your supply chain, auditing the third parties you rely on, scanning software components for vulnerabilities, and having a robust incident management plan.
Veracode has over fifteen years of experience helping enterprises start and mature their software security programs. If you don’t have a software supply chain security program yet, you can consider enrolling in the Veracode Verified program. This program helps you improve your time to resolution while also training your developers to integrate security best practices directly into their development lifecycles. These safeguards, in turn, will ensure your customers have more confidence in your application’s security.