The most recent ENISA (European Union Agency for Cybersecurity) report on cybersecurity listed supply chain attacks as one of the prime identified threats to the cyber landscape. Cyber attacks are on the rise, alarmingly so, and most recently, some of the most successful attacks have been through the software supply chain. Cybercriminals are aggressively targeting open source software, which is worrying, given how integrated open source software is into the modern business landscape.
Recently, a chilling example of a supply chain attack is the SolarWinds attack over 2020-2021. Many U.S. government agencies were compromised, including the U.S. Departments of Defense, Energy, Treasury, Homeland Security, State, Health, and Commerce. In the private sector, huge players such as Intel, Cisco, and Microsoft were affected. An estimated 18,000 organizations were affected by this attack. This article will look at software supply chain security and ways to address software supply chain threats.
What is a Software Supply Chain?
While the term, supply chain, is primarily used in manufacturing, it is a workable analogy for software. A manufacturer has the design for a product. To build the product, they source their materials, often pre-built, and use teams of people to customize the materials and develop their product. The product is also tested, especially if it’s designed to be under stress. These days, software is built from parts (often open source) and involves many different developers, systems, and teams to get to a finished product that’s been tested and can function in various environments. The definition of the software supply chain is further expanded to include anything that affects your software’s deliverability.
Security Threats to the Software Supply Chain
Vulnerabilities in third-party or open source software can create software supply chain threats. This is a pervasive issue because of the widespread use of open-source software. The average project uses hundreds of open source dependencies. 99% of codebases were built with open source code, and a high percentage-85%-97%- of enterprises have codebases with open source code. In short, if one of your dependencies has a vulnerability, so do you. And vulnerabilities don’t just mean to attack; a well-meaning mistake plus an unpatched vulnerability can have serious consequences.
How to Secure a Software Supply Chain
1. Be Aware of Vulnerabilities
The first essential step of securing your software supply chain is to be aware of vulnerabilities as soon as possible because once you’re aware, you can implement a rapid response. Unfortunately, many organizations aren’t aware of a vulnerability until many days after it is disclosed. The more rapidly your organization can respond to a vulnerability with a security patch, the less likely that vulnerability can be exploited.
No discussion of vulnerabilities would be complete without addressing vulnerability databases. These platforms are designed to collect, maintain and disseminate pertinent information about any discovered vulnerabilities. The National Vulnerability Database (NVD) is operated by the National Institute of Standards and Technology (NIST), and it includes vulnerability information from Common Vulnerabilities and Exposures (CVE). Another vulnerability database of note is CERT, which is part of the Software Engineering Institute. Without these databases, it would be almost impossible to understand the vulnerabilities in any software.
2. Implement an SBOM
Deep visibility of your software supply chain allows your organization to take security steps after discovering a vulnerability. Once a vulnerability is detected, if your organization doesn’t know what software is connected to the exposure, it can’t take the next security steps.
Documentation or a formal Software Bill of Materials (SBOM) is becoming a crucial security step, and many organizations, including now the U.S. Government, won’t work with an organization without one. (Did you know that SBOM is another term borrowed from the manufacturing industry?) An SBOM provides a basic understanding of third-party elements in your code and is a machine-readable list. This list specifies all the open source components and dependencies within a software program. Not only will an SBOM improve your security, but it will also improve compliance and will build trust with your customers.
3. Use a Block-List of Components
Creating a block-list of components makes problems in software easy to identify and quarantine off to the side. This involves communication between developers and community members. Once harmful components are flagged, they can’t make their way into production. One way to keep these flagged components out of production is to set a framework to track them and keep them from being used.
4. Remove all EOL Code
Vigilance is needed to ensure that all code that has reached the end-of-life stage (EOL) is removed from service. Outdated and unsupported code can lead to vulnerabilities and risks to your software supply chain. When it’s time to shut down a code base, be prepared with an alternative. Or perhaps removing functionality makes the most sense.
5. Use Security Experts
One way to secure your software supply chain is by working with software security experts from Encora. They have years of experience working at the forefront of software supply chain security. They can help your organization shore up its defenses against the rising attacks against open source code. Our skilled team of software engineers will improve your organization’s security and penetration testing. We also utilize Agile tenets and will tap into its power to ensure that your organization’s software testing and performance monitoring are increasingly effective as a way to maintain your organization’s security. Contact us today to get started!