There are a couple reasons why software supply chain attacks have increased by a whopping 600%: first, it’s easy to find and exploit security vulnerabilities, and secondly, it only requires one compromised application or open software project to affect the entire supply chain.
A Trend Micro Research global survey reported that 52% of organisations have a supply chain partner that has been hit by ransomware. In response to the uptick of attacks, President Biden issued an executive order to improve software supply chain security. Furthermore, 85% of respondents in the Venafi survey said they “have been specifically instructed by the board of CEO to improve the security of software build and distribution environments.”
To help CISOs and security teams manage and mitigate supply chain risk, we explore common attacks vectors and CISA’s strategic security practices for better supply chain cybersecurity.
Overview of the software supply chain
The demand for agile development has led to many organisations shifting to cloud-native development tools and adopting DevOps processes. However, the increased speed of development has led to security issues and made the securing of software supply chains notably more complex.
To visualise the software supply chain, consider this model for the DevOps CI/CD pipeline. This software development lifecycle emphasises security through constant feedback and connectedness amongst all elements of the software lifecycle without slowing down build times for developers. In this graphic, you can see the connection between the DevOps lifecycle and the various external components that move it forward:
Software supply chain attacks
It is here wherein the problem lies: any of these components and development tools can be exploited by cybercriminals, enabling them to access a wide range of systems and sensitive data.
The software supply chain includes:
Data distribution services (DDS)
DDS is a machine-to-machine technology used for publish-subscribe middleware applications in real-time and embedded systems. Maintained by the Object Management Group (OMG), DDS plays a critical role in implementing reliable communication layers between sensors, controllers, and actuators. It is located at the beginning of the chain, making it easy to lose sight of, and therefore, an attractive target for malicious actors.
In January 2022, Trend Micro Research, TXOne Networks, and Trend Micro™ Zero Day Intitiative™ (ZDI) in collaboration with ADLINK Labs and Alias Robotics published an entry that included information on 13 new vulnerabilities for the six most common types of DDS implementations. They found that these new bugs could affect more than just DDS itself.
DDS vulnerabilities can be divided into those affecting the network layer or configuration level. The former can be exploited to implement malicious techniques like denial-of-service (DOS) attacks, spoofing, and automated collection. Configuration-level vulnerabilities can be used to target DDS system developers and integrators.
Open source components
Developers often copy open source code from shared public libraries like Github to get everyday components. Why waste valuable time writing code to take a message from one field to another when someone else has already done it? The ease of use is why 90% of modern applications leverage open source code.
However, many organisations lack insight into open source dependencies. The unchecked nature of open source code can lead to crippling attacks like Apache Log4j, a widely used open source software. Cybercriminals exploited a critical flaw in the Log4j logging framework and inserted malicious code to compromise vulnerable systems. It is estimated that Log4j impacted upwards of three billion medical devices that used Java, according to the FDA.
System management tools
Version control systems manage the actual release and deployment processes. Once in production, third-party and open-source production environments host the application. While the system is running, automated operations tools handle the routine business of maintaining service levels, starting and stopping scheduled activities, and synchronising updates. A suite of systems management tools makes sure that production runs smoothly and resources are optimised.
Kaseya VSA, a popular tech management software, was hit with a REvil ransomware attack in early 2021. The attackers exploited a vulnerability in the update mechanism, enabling them to distribute a malicious payload through the hosts managed by the software. The damage from the widespread attack extended well beyond the virtual world, with a Swedish supermarket chain Coop forced to close 800 stores for almost a week.
Developers also use purchased software products for things like updating a database, templating a web page, testing, and so on. These software products can be exploited by security vulnerabilities, such as Ripple20, a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc.
The impact of Ripple 20 was magnified by the supply chain; demonstrating how a single vulnerable component can ripple outward to affect a wide range of industries, applications, and companies including Fortune 500 multinational corporations. JSOF reported that the dissemination of the software library led to hundreds of millions of devices being impacted.
How to improve software supply chain security
Evidently, the software supply chain can be exploited at multiple points, which makes securing it increasingly complex. To help organisations reduce supply chain security risk, CISA recommends six key steps:
- Identify: Determine who needs to be involved
- Manage: Develop your supply chain security policies and procedures based on industry standards and best practices, such as those published by NIST
- Assess: Understand your hardware, software, and services that you procure
- Know: Map your supply chain to better understand what component you procure
- Verify: Determine how your organisation will assess the security culture of suppliers
- Evaluate: Establish timeframes and systems for checking supply chain practices against guidelines
Furthermore, consider adding a software asset management tool to get a handle on what’s installed and can automate processes to manage and generate software bill of materials (SBOM).
Lastly, a vendor with a unified cybersecurity platform that supports broad third-party integrations, ensuring total oversight from a single dashboard across the software supply chain. Security capabilities such as software composition analysis (SCA), automation, continuous monitoring, and deep data collection and correlation are also vital to enabling faster detection, response, and remediation of affected supply chain components.
For more information on cyber risk management and mitigation, check out the following resources: