Skip to main content

Securing the Software Supply Chain and mitigating the threat

SolarWinds and Log4j have made software supply chain security a topic of intense and scrutiny for enterprises and governments around the world. 

Software Supply Chain attacks, generally carried out by profit threat actors and nation state actors are constantly rising. It can have significant impacts to both digital and physical worlds.

In 2020, a major U.S. IT firm, SolarWinds, was breached when attackers launched malicious code via its IT monitoring and management software, a platform used by large enterprises and government agencies. The hackers infiltrated not only SolarWinds but their customers as well. In 2021, a remote execution vulnerability in Apache’s Log4j turned the security world on its ear and left countless users and organizations susceptible to data breaches and attacks.

Since 2021, there has been a 650% YoY increase in software supply chain attacks. In 2021, the president of the United States highlighted the importance of software supply chains and security with two White House executive orders: Supply Chains and Improving the Nation's Cybersecurity directing the heads of several federal organizations to create security guidelines surrounding the software they consume and operate. Aimed at bolstering the nation's cybersecurity profile, it has prompted all organizations to review security practices to ensure their infra, applications and network are secured. 

Software Supply Chains

Modern software development frameworks and approaches focus on speed and reliability. Most software today isn’t written from scratch – it’s a combination of software artifacts written from scratch and reusable code, both containing open source software. However, these software artifacts are subject to vulnerabilities, and developers have less control over source code from a third party or any changes made to a software artifact over time.

software supply chain is made up of everything and everyone - all the code, people, systems, and processes that touches the code in the end to end software development lifecycle from development to deployment. The supply chain includes network of information about the application and its components like infrastructure, operating systems, services, dependencies, etc, the people who wrote them, and the sources they come from, like artifact or code repositories, or open source projects. 

Broadly, the composition can be categorized as -

  • Code you write, its dependencies and the components you use to develop, package and run your software
  • Processes and Policies for code review, code testing, monitoring and review comments and code commit approval process
  • Tools or Systems you use to develop, build, store and run your software and its dependencies

Why is Software Supply Chain Security a Challenge?

Given the broad reach and complexity of the software supply chain, there are numerous ways for attackers to introduce unauthorized changes to the software that you deliver to your customers and these attack vectors span across the software lifecycle. While some attacks are targeted, other threats enter the supply chain through weaknesses we generally ignore in people, process and tools involved in the supply chain.

Process gaps such as lack of code review or security configurations used for deployment can allow bad code to unintentionally enter the supply chain. Similarly, bad code can get into the software if the source code is built outside the trusted version control system, or if the application is deployed from systems outside of your trusted build system and artifact repositories.

Availability and demand for open source packages in the software applications continues to grow, with a 73% year-over-year increase since 2021. Vulnerabilities are most common in the most popular open source projects and these vulnerabilities get into the software code that ultimately reaches your customer network.

In response to organizations taking more steps to secure their applications, attackers have had to get more creative in their own methods. The sharp and continuous rise of "code reuse" and "cloud-native" approaches have provided attackers with additional angles to mount attacks several degrees of separation away from their intended targets. Exploiting just one weakness opens the door for a threat actor traverse down the supply chain where they can steal sensitive data, inject malicious code, and take control of entire software systems including your customer's network or software systems.

Because software is essential to successful business operations, supply chain security is a critical responsibility of every organization. Risks include leaking credentials, confidential data, corruption of data, installation of malicious code, and application outages result in loss of time, money, and customer trust. To protect the integrity of your software and your customer's software systems, it's important to understand your security posture: how prepared you are to detect, respond to, and remediate threats.

Software Supply Chain Security is the act of securing the components, activities, and practices involved in the creation and deployment of software applications. This includes securing your own proprietary code, third-party code like open-source software, infrastructure, deployment models, dependent services, development tools and all other components used in the software supply chain. It combines cybersecurity best practices to help protect the software supply chain from potential vulnerabilities and attacks.

There are multiple threats that can compromise the security state of your application. 

  • Insecure code - writing code that unintentionally includes vulnerabilities or committing bad code to the source code repository not only pushes malicious code further but also unintentionally introduces vulnerabilities for any possible attack
  • Build Pipeline - building with source code that is not from a trusted source control system, packaging and publishing software that was built outside the regular process or a compromised source code repository pose new security threats
  • Dependencies that a build uses the first time can be different from dependencies that the build uses in future executions. Bad actors can take advantage of this to cause your build to choose their package version instead of your version
  • Deployment - if you are using a continuous deployment (CD) process, compromising the process can introduce unwanted changes to the software that you deliver to your customers.

There is a misconception about software supply chain security same as application security. While the software supply chain is made up of everything that touches the code, application security protects "the code itself" from attacks and strengthening the security of your supply chain in turn increases the application security. 

How to mitigate the security risk?

Software supply chain security is important to your organization as well as to your customers. While you don't want to be breached, you also do not want to be responsible for another organization encountering a similar event. 

Risk to any component of the software supply chain carries a potential risk to every software artifact relying on that component. It provides hackers the opportunity to insert malicious code to compromise software components and their associated supply chains. Just imagine a security vulnerability in a 3rd party open source software that you use in your software application can potentially increase the security exposure of your customer's network and software systems (if your software is running in or connecting to your customer's environment). 

Implementing security for your software supply chain is the key. However, it is important to understand the different risks it poses to the software supply chain that in turn impacts your organization and your customers.

  • Dependencies on any organization as part of your software supply chain - analyze all dependencies on third party code, software publishers and vendors and assess them to know how secured they are.
  • Vulnerabilities are loopholes in your code or dependent components that could be exploited leading to a breach. So, it is important to do continuous security assessment to identify the vulenrabilities which should be patched to minimize the risk.
  • Patent Rights - licensing is a legal risk that could obligate you to make any resulting software artifacts open source and nullify patent rights. 
  • Processes and policies for your software development methodologies, practices, frameworks, and playbooks for developing and deploying software applications as well as your response plan to a security attack.

Modern development frameworks lack guidance that helps organizations understand threats to their software, assess their ability to detect and implement mitigrations to respond to threats. I am highlighting some of the security best practices that developers, security teams and DevOps teams should consider to minimize the software supply chain security risk:

  • Know your software publishers and vendors who you do business with. Conduct risk assessments to evaluate their cybersecurity exposure and related policies
  • Ensure all people involved in the process of writing and deploying software applications are well trained to be aware of security best practices, tools and methodologies to develop and deploy secure software

  • Publish and consume the Software Bill of Materials (SBOM) and include vendor dependencies into source control
  • Assess the security and trustworthiness of the 3rd party code or open source software that you use in your software code

    • Design Threat Model for your software applications and identify attack surface. Do continuous automated security assessments to identify the vulnerabilities and take corrective measures to patch or fix them to minimize the security exposure
    • Restrict access to the source control system and other systems in your build pipeline, and use multi-factor authentication that helps to mitigate the risk of compromising the source control system
    • Provide least privilege access to resources across the supply chain such as developer tools, CI/CD pipeline, source code repositories, and other systems.
    • Harden the security of all your infrastructure, connected machines and data transfer methods and regularly patch vulnerable systems.
    • Developers and DevOps should consider secure coding practices, CI-CD pipelines, infrastructure provisioning and other security-focused initiatives to securely build and deploy code
    • Deploy automated tools to continuously test and monitor deployed applications for threats
    • Embrace Software Chain Levels for Software Artifacts (SLSA), which includes the ability to digitally sign your software artifacts.
    • DevSecOps is an approach to culture, automation, and software design that integrates security as a shared responsibility throughout the entire software development lifecycle. DevSecOps means thinking about application and infrastructure security from the start and automating security controls to ensure the pipeline is secured. Integrate the DevSecOps pipeline with automated security testing tools such as Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST) and assess continuously to identify the security exposure.
    • In addition to the practice of shifting left on security and using CI/CD in implementing security practices, reproducible builds, automated testing, incremental updates, etc. can ensure better software supply chain security
    Conclusion

    Software supply chain attacks rely on exploiting the trust between software publishers and users. When attackers compromise software that is signed and certified but do not have additional protection mechanisms in place, customers are exposed further. The basic principle to help avoid becoming a victim of software supply chain attack is not just to have adoption of best security software but also to secure the entire pipeline of software development - writing secure code, securing source code repositories, securing build system, implementing best security practices in the CI/CD pipeline and the entire DevOps lifecycle, ensuring users, systems and networks are well secured. So, I would recommend to rely on modern and preventive security practices, tools and methodologies which can detect novel threats at machine speed to ensure a secured code to production lifecycle.


    The same article is posted on my Medium site as well. Please do read and share your comments.

    Comments

    Post a Comment

    Popular posts from this blog

    Office 2013 Installation Error : Code 1603

    Wanted to share one error that I got while installing Microsoft Office Professional 2013 for which I had to spend almost 3 days to find the root cause. I also googled and found that many people have also faced the same issue but did not get if anyone had the solution. Sharing the solution that worked for me. Thanks to Dhaval Metrani, my colleague, who also helped me with this. If you get the following error in the log file (in the %temp% folder) while installing Office 2013 Failed to install product OSMMUI.msi ErrorCode: 1603  and the detail log shows ERROR: The network address is invalid then the same is because of Task Scheduler service is not enabled on the machine. 1603 is a generic error and some people have mentioned that the same could be related to deleting/renaming  %programdata% /Microsoft Help but the solution seemed to be related to Task Scheduler when the exact error was related to 'Network address invalid'. By default in Windows 7 and Windows Vista ...
    6 comments
    Read more

    Working with ExtJS and Java

    If you are new to extjs then for you ExtJS is a cross-browser Javascript framework for building RIA (Rich Internet Application) based web application. It allows to use any server based technologies for building your application. In my application, I am using ExtJS 3.0 as client side technology, Java (JSP+Hibernate) as server side technology and MySQL 5.x as database. Here I will tell you how to setup the above tools and technologies. ExtJS Setup Download latest version of ExtJS from http://extjs.com/products/extjs/download.php . I am using ExtJS 3.0 in my application. If you are using 3.0 version then you can view the API Documentation online at http://extjs.com/deploy/ext-3.0-rc2/docs/ and you can download the API documentation from download page if you are using any older version than 3.0 Extract the contents to any local folders in your disk. ExtJS IDE Setup It is difficult to remember all ExtJS components and its functions, so we need an IDE for development. Although there are few...
    3 comments
    Read more

    jQuery Intellisense support in Eclipse 3.4.2

    To have jQuery Intellisense feature in Eclipse, I tried to find out the way in Google and everyone suggested to use modified version of Eclipse WTP. After doing some research I found out another way of having jQuery Intellisense in Eclipse i.e. integrating Spket IDE with Eclipse. I am using Eclipse 3.4.2 Ganymede version. Download Download and Install Spket IDE and jQuery Download Spket plugin for Eclipse using Eclipse Update Manager, from Spket update site - http://www.spket.com/update/ Once the Spket IDE is installed then download jQuery from http://jquery.com/ and save in your local disk. Configure The steps to configure jQuery Intellisense are: Open Eclipse IDE Select the menu item Window > Preferences... to open the workbench preferences. Select the Spket > JavaScript Profile preference page to display the installed JavaScript Profiles. Click the New.. button. In the Name field, type jQuery (you can type anything) as the name for the new profile. Then click OK . Click th...
    6 comments
    Read more