Last year’s MOVEit and 3CX vulnerabilities offered a stark reminder of the risk software supply chain attacks pose today.
Threat actors exploit vulnerabilities to infiltrate a software provider’s network and modify the software’s original functionality with malicious code. Once the infected software is passed on to customers, typically through software updates or application installers, the breach opens the door to unauthorized tasks, such as exfiltrating sensitive information or hijacking data.
We are in the midst of a rapid surge in software supply chain attacks. Sonatype found a 742% average annual increase in software supply chain attacks between 2019 and 2022, according to the company’s State of the Software Supply Chain report. Few expect this growth to reverse any time soon.
Widespread and enduring impact
The severity of software supply chain breaches is partly explained by how they sit at the intersection of two core elements of today’s cyber threat landscape. Attacks are more sophisticated and ambitious than before, and greater digitization has created an unprecedented interconnected modern world, accelerated by the pandemic and the opportunities offered by emerging technologies.
Whether SolarWinds in 2019 or the Kaseya and Log4j attacks of 2021, all demonstrate the reach of such attacks and the damage they can inflict. According to SolarWinds, up to 18,000 customers may have downloaded the malware. The Kaseya ransomware attack impacted 1,500 companies and involved a $50 million ransom.
With Log4j, there were nearly 1.3 million attempts to exploit the vulnerability on more than 44% of corporate networks worldwide in the first seven days. Supply chain breaches, however, can also have a very long tail. The CISA classified Log4Shell as endemic with vulnerable instances remaining for years to come, perhaps a decade or longer.
Software supply chain attacks are difficult to mitigate and carry a high cost. IBM’s Cost of a Data Breach Report 2023 found that the average cost of a software supply chain compromise was $4.63 million, which is 8.3% higher than the average cost of a data breach due to other causes. Identifying and containing supply chain compromises required 294 days, 8.9% more days compared to other types of security breaches.
The evolution of software supply chains
As we know, code is the fundamental building block for software applications. But while a substantial portion of this code was generally written from scratch 20 years ago, today’s digital landscape is characterized by the widespread adoption of open-source software, increased software community collaboration, and the evolution of technologies like generative AI.
In this environment, development teams can use code that originate from a wide array of different sources—from open source libraries on GitHub to code generated by AI coding assistants like GitHub Copilot, code previously developed for other software applications within the company, and third-party software, including databases and logging frameworks.
These “sources” form what is commonly known as the software supply chain. Each source inherently introduces new security risks into the software supply chain. Essentially, a security vulnerability in any one source can expose the other connected software products with which they are connected.
Securing your software supply chain
One weak link is all that is needed to provide a gateway for threat actors to bypass otherwise robust and secure environments. Accordingly, the key to any secure software supply chain is the ability to identify and remediate any vulnerability rapidly before it can be exploited by threat actors.
Companies should consider adopting three strategies to create a secure software supply chain.
Firstly, companies need a software bill of materials, or SBOM. While familiar to the open source community for well over a decade, SBOMs have recently gained fresh significance in the wake of elevated cyber risks and a host of US legislation.
In essence, an SBOM is an inventory of all software components, such as libraries, frameworks, generated code, that are used across their software supply chain. Having an SBOM allows a company to develop a comprehensive understanding of its software composition and dependencies so it can quickly and accurately remediate potential vulnerabilities.
Secondly, every software component that is part of the SBOM should be scanned for publicly disclosed cybersecurity vulnerabilities, and any discovered vulnerability should be remediated immediately. Begin vulnerability scanning at the earliest stages of the software development lifecycle to detect issues before they become more difficult and costly to fix. Scanning should be done during the entire CI/CD pipeline, from build to test to deployment to run time. In addition, scanning cannot be a one-off activity. Rather, it must be done on a continuous basis across the software environments as it is not uncommon for new vulnerabilities to be discovered much later.
Thirdly, organizations should explicitly define zero trust policies to capture what the different parts of application workloads should be allowed to do or access. As MOVEit and Log4j showed, zero day attacks present an especially severe risk, exploiting unknown vulnerabilities for which there is no patch available yet. Such attacks give threat actors easy access to restricted resources such as files, processes, and networks. The principles of zero trust are crucial to mitigating such attacks. Essentially, zero trust applies a microsegmentation technique, using security policies to prevent unauthorized access to restricted resources by malicious code that is injected by threat actors.
With Gartner predicting that 45% of organizations will have experienced attacks on their software supply chains by 2025, companies must take urgent steps to understand their software composition, rigorously audit this code, and enact zero trust methodology across their ecosystem. Those who fail to adopt sound strategies to document the supply chain and address both known and unknown vulnerabilities risk both significant financial loss and an enduring dent to their reputation.
Vishal Ghariwala is CTO and senior director, Asia Pacific, at SUSE. A veteran of IBM and Red Hat, Vishal has over two decades of experience in enterprise security. He leads SUSE’s strategy and growth in the APAC region.
—
New Tech Forum provides a venue for technology leaders—including vendors and other outside contributors—to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to doug_dineley@foundryco.com.