Mitigating Lurking Threats in the Software Supply Chain
Software supply chain security threats and vulnerabilities aren’t new. What is new is the voracity and growing number of attacks and threats. Recognizing this growing problem could also threaten national security, the NSA released guidance on mitigating supply chain threats late last year.
A recent report from ReversingLabs provides context for the vast number of security threats lurking in software supply chains. The report identified almost 11,200 unique malicious packages across major free and open source software (FOSS) platforms in 2023, a 1,300% increase from 2020. This is an astounding increase in threats, responding to weak links in the software supply that threaten company security and could potentially tarnish organizations’ brand as well as the trusted relationships they’ve built with third-party vendors and partners.
Companies will continue to leverage FOSS, as they should, because it reduces the total cost of ownership by eliminating expenses related to maintenance, upgrades and support fees and vendor lock-in. Beyond cost savings, FOSS also contributes to innovation by driving improvements and enhancements that result in a continuously evolving and improving software ecosystem.
The first step to addressing supply chain vulnerabilities and threats is to understand the most common attacks. Once these are identified, the appropriate corrective actions can be taken. Some of the top types of attacks include:
● Code Injection: The SolarWinds breach is a good example of code injection which involved hackers inserting a backdoor into the Orion software updates. In most cases, malicious code is injected into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software.
● Code Substitution: Attackers replace legitimate code with malicious code in a software component, either by compromising the source code repository or by tampering with the software distribution channel. In the ASUS Live Update attack, malicious actors hijacked the ASUS update server, delivering malicious updates to ASUS users.
● Code Compromise: Exploitation of a vulnerability or a misconfiguration in the software development or delivery process compromises the code. To illustrate, the NotPetya attack involved hackers exploiting a vulnerability in the M.E.Doc accounting software to deliver ransomware to Ukrainian organizations.
Effective Strategies to Protect Internal and External Supply Chains
As FOSS continues to gain popularity, organizations must adopt tighter security measures to protect the company’s data and IT assets at all costs. Software bills of materials (SBOMs) play an increasingly important role in enhancing software supply chain security by promoting transparency and accountability. SBOMs are also highly effective in enhancing risk management and compliance best practices.
It’s also necessary to establish and cultivate a security culture within the organization and educate employees on the risks and best practices of software supply chain security. This includes adopting secure software development practices, such as code reviews, testing, and scanning, and following the NIST secure software development framework (SSDF).
Dev teams should also employ the “principle of least privilege” to software components and users by limiting their access to the minimum necessary resources and permissions. Implementing strong encryption and digital signatures to protect the confidentiality and integrity of software components and data is also imperative.
Finally, it can’t be said enough that IT teams must update and patch software components regularly and verify the authenticity and integrity of software updates before installing them.
External protection policies should be equally important. This includes performing due diligence on third-party software vendors and suppliers and verifying their security policies and practices. But that’s just the first step. It’s critical to establish clear contracts and service level agreements (SLAs) with third-party suppliers and define the roles and responsibilities of each party in the software supply chain.
Final Thoughts on Securing the Software Supply Chain
Securing the software supply chain doesn’t stop at the contract. Companies must protect themselves by being proactive, continually monitoring and auditing the software supply chain for any anomalies or suspicious activities as well as using tools such as SBOMs to track the provenance and integrity of software components.
