Whether your organisation’s digital transformation is well underway, or you’re simply migrating to more cost-effective, agile platforms, your digital attack surface is increasingly exposed to threats born by your software supply chain.
According to a recent survey from Venafi, 82% of respondents said their organisations are vulnerable to cyberattacks targeting software supply chains. Furthermore, a Trend Micro Research global survey reported that 52% of organisations have a supply chain partner that has been hit by ransomware. Moreover, cybercriminals are motivated by the success of Kaseya, Log4J, and SolarWinds, leading to an uptick in campaigns against software build and distribution environments.
Organisations are certainly taking notice of this evolving threat as well; 85% of respondents in the Venafi survey said they “have been specifically instructed by the board of CEO to improve the security of software build and distribution environments.” To help CISOs and security leaders manage and mitigate supply chain cyber risk, we explore common attacks vectors and CISA’s strategic recommendations for better software supply chain security.
Overview of the software supply chain
The demand for agile development has led to many organisations shifting to cloud-native development and adopting DevOps processes. While certainly beneficial, the speed of development has made the securing of software supply chains notably more complex.
To visualise the software supply chain, consider this model for the DevOps lifecycle. This software development method emphasises security through constant feedback and connectedness amongst all elements of the software lifecycle without slowing down build times for developers. In this graphic, you can see the connection between the DevOps lifecycle and the various external components that move it forward:
In DevOps software development, the process begins with a new requirement and while this diagram shows a single thread, in reality there are many third-party components and tools that help speed up the process.
Software supply chain attacks
It is here wherein the problem lies; any of these components and tools can be exploited by cybercriminals, enabling them to access a wide range of systems.
Consider these key attack vectors:
Data distribution services (DDS)
DDS is a machine-to-machine technology used for publish-subscribe middleware applications in real-time and embedded systems. Maintained by the Object Management Group (OMG), DDS plays a critical role in implementing reliable communication layers between sensors, controllers, and actuators. It is located at the beginning of the chain, making it easy to lose sight of. and therefore, an attractive target for malicious actors.
In January 2022, Trend Micro Research, TXOne Networks, and ZDI in collaboration with ADLINK Labs and Alias Robotics published an entry that included information on 13 new vulnerabilities for the six most common types of DDS implementations. They found that these new bugs could affect more than just DDS itself.
DDS vulnerabilities can be divided into those affecting the network layer or configuration level. The former can be exploited to implement malicious techniques like denial-of-service (DOS) attacks, spoofing, and automated collection. Configuration-level vulnerabilities can be used to target DDS system developers and integrators.
Open source code
Mostly commonly, developers copy open source code from shared public libraries like Github to get everyday components. Why waste valuable time writing code to take a message from one field to another when someone else has already done it? The ease of use is why 90% of modern applications leverage open source code.
However, the unchecked nature of open source code can lead to crippling attacks like Apache Log4j, a widely used open source logging library. A critical flaw in the Log4j logging framework allowed cybercriminals to compromise vulnerable systems with just a single malicious code injection. It is estimated that Log4j impacted upwards of three billion medical devices that used Java, according to the FDA.
System management tools
Version control systems manage the actual release and deployment processes. Once in production, third-party and open-source production environments host the application. While the system is running, automated operations tools handle the routine business of maintaining service levels, starting and stopping scheduled activities, and synchronising updates. A suite of systems management tools makes sure that production runs smoothly and resources are optimised.
Kaseya VSA, a popular tech management software, was hit with a REvil ransomware attack in early 2021. The attackers exploited a vulnerability in the update mechanism, enabling them to distribute a malicious payload through the hosts managed by the software. The damage from the widespread attack extended well beyond the virtual world, with a Swedish supermarket chain Coop forced to close 800 stores for almost a week.
Developers also use purchased software products for things like updating a database, templating a web page, testing, and so on. These software products can be exploited by vulnerabilities, such as Ripple20, a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc.
The impact of Ripple 20 was magnified by the supply chain; demonstrating how a single vulnerable component can ripple outward to affect a wide range of industries, applications, and companies including Fortune 500 multinational corporations. JSOF reported that the dissemination of the software library led to hundreds of millions of devices being impacted.
Improving software supply chain security
Evidently, the software supply chain can be exploited at multiple points, which makes securing it increasingly complex. To help organisations strengthen defences, CISA published ICT SCRM Essentials, recommending 6 key steps to building an effective software supply chain security management practice:
- Identify: Determine who needs to be involved
- Manage: Develop your supply chain security policies and procedures based on industry standards and best practices, such as those published by NIST
- Assess: Understand your hardware, software, and services that you procure
- Know: Map your supply chain to better understand what component you procure
- Verify: Determine how your organisation will assess the security culture of suppliers
- Evaluate: Establish timeframes and systems for checking supply chain practices against guidelines
To optimise CISA’s framework, ensure your current security tools and vendors don’t slow or create additional barriers across each step. For example, you’ll need comprehensive visibility to not only discover and record all aspects of your digital attack surface, track updates and patches, and learn traffic patterns, but to also map all vendors or third parties who access your data and assets. This high level of visibility is necessary for any specific mitigation tactics, especially in today’s widening digital attack surface.
Look for a vendor with a unified cybersecurity platform that supports broad third-party integrations, ensuring total oversight from a single dashboard across the software supply chain. Security capabilities such as automation, continuous monitoring, and deep data collection and correlation are also vital to enabling faster detection, response, and remediation of affected supply chain components.
For more information about managing and mitigating cyber risk like software supply chain security, check out the following resources: