In the complex web of today's global supply chain, silent hackers are striking at the very heart of businesses' digital fortresses, taking advantage of the landscape’s continuous expansion in both magnitude and intricacy. The specter of cyberthreats has thus become an ominous convergence of technology and theft, which reached the forefront of supply chain security concerns.
Infiltrating IT and software systems with stealthy precision, these threats, ranging from unauthorized ERP access to malware nestled within purchased, open source, or proprietary software, capitalize on unsuspecting vulnerabilities, crippling organizations' defenses from within. The gravity of the situation becomes evident when considering that businesses need to ensure the efficiency and security of their operational flow. The imperative to build a global supply chain fortified against evolving threats becomes all the more pressing.
In this exploration, we will focus on software supply chain attacks and navigate through the cybersecurity pitfalls, also unveiling the strategies to create a strongly fortified firewall around your digital infrastructure.
The dark territory of supply chain attacks
Supply chain attacks are digital warfare tactics aimed at exploiting the vulnerabilities lurking within an organization's supply chain. Industry agnostic, these attacks transcend sector boundaries, making every sector from finance to government, oil to technology, retail to pharmaceutical, susceptible to attackers’ jobs.
Although supply chain attacks encompass both software and hardware domains, one of the most potent forms of supply chain attacks takes the form of assaults on the software supply chain – the foundational pillar of business operations.
Software supply chain attacks
Within this domain, organizations rely on software services for seamless functioning. A software supply chain offers quite a wide range of opportunities for hackers to exploit as it consists of:
- elements of the software development lifecycle (SDLC) process - e.g. build systems, development, testing environments
- open source or third-party software used as components in the business’ software
- open source platforms like WordPress or Magento that are used directly by companies
- vendors providing professional services, consulting, or development services
- partners who store or process data on behalf of the enterprise
- cloud services among which IaaS, PaaS, and SaaS
- previous suppliers who still hold company data or access to IT systems
Attackers adeptly infiltrate the defense perimeter by implanting malicious code into third-party components like APIs and open source code, which developers commonly incorporate into their applications. This can lead to the transformation of legitimate software into a vehicle of malice, allowing the attackers to infiltrate hidden backdoors and compromise users.
The domino effect: Risks and consequences of supply chain attacks
The landscape of supply chain attacks is intricate since the exploitation of a single shared resource can set off a chain reaction with far-reaching consequences. Amidst the myriad players in this industry, including importers, manufacturers, carriers, and logistics providers, a common thread is obvious: bad actors attack multiple targets through the compromise of a lone, communal vulnerability.
In an era characterized by globalization, decentralization, digitalization, and outsourcing, the act of information sharing with suppliers becomes both a necessity and a threat. A supply chain attack isn't merely an isolated event; it is a cascade of repercussions for businesses, suppliers, and resellers who intertwine computer networks and share sensitive data. A breach of one organization from the entire chain can result in a synchronized downfall that resonates far beyond the initial target.
The array of vulnerabilities drag along potential consequences, each more damaging than the last. Unraveled supply chains can yield unnecessary costs and exposure of intellectual property, personal and confidential data, which can affect consumer trust and open doors to unwanted lawsuits.
Without a strong risk management process in place, the potential loss is multi-faceted – financial, operational, reputational.
Prevailing concrete software supply chain challenges and practical case studies
Attackers use a diverse array of tactics, each meticulously crafted to breach defenses and seize sensitive information. From ingenious social engineering ploys that manipulate employees to those exploiting vulnerabilities, each approach harbors distinct objectives. Below are the most prevalent software supply chain attack mechanisms and imperatives:
1. Event-stream pack tools
Compromised developer tools can be exemplified by instances when attackers target software "event-stream" packages. In events like these, a developer tool is tainted with malicious code by a project maintainer. This alteration then proliferates through subsequent updates, infiltrating unsuspecting systems that rely on the tool.
This attack vector capitalizes on the widespread use of popular third-party software packages, which becomes the perfect ground for hackers to exploit vulnerabilities and compromise a multitude of businesses through their interconnected software ecosystem.
2. Open source packages
Bad actors can, for instance, attack an infrastructure monitoring platform and exploit the trust associated with widely used open source packages. The compromised payload, originating from a reputable source, is infused with malware. As this malevolent payload spreads through users, who rely on the package for various applications, a domino effect of compromise unfolds.
3. Access to credentials from a third proprietary software
A critical facet within the supply chain territory pertains to the targeting of third-party proprietary software. An example here would be breaches resulting from compromised credentials. In these scenarios, cyber attackers exploit vulnerabilities in the company's Docker image creation process, infiltrating the business' documentation and script. Thus, the tool's installation process within CI environments are altered, effectively opening a gateway to unauthorized access and manipulation.
It is no wonder that supply chain attacks have increasingly become a cause for concern, especially considering the mentioned tactics. Let’s delve into some of the most resounding software supply chain issues that have unfolded recently:
1. Apache Log4j vulnerability
Being called the “biggest vulnerability in decades”, the Apache Log4j is an extreme case in terms of supply chain attacks, which was publicly disclosed in December 2021. This allows malicious actors to achieve remote access to applications employing Log4j. Subsequently, they can compromise the core servers and network infrastructure, effectively turning the Log4j exploit into an open gateway to an organization's entire IT infrastructure.
In December 2020, SolarWinds, a company specializing in network management software, fell victim to a cyberattack that led to a significant breach affecting numerous government agencies and private corporations. This attack impacted a grand total of 18,000 customers and businesses. The source of the attack was identified as a malicious software update that had been inserted into SolarWinds' Orion software.
3. Okta breach
In March 2022, Okta disclosed that 366 corporate customers, namely almost 2.5% of its customer base, were impacted by a security breach that allowed unauthorized access to the company's internal network. The breach was attributed to a subprocessor responsible for providing customer support services to Okta.
Supply chain security & software risk management
Supply chain security, a pivotal subset of supply chain management, encompasses the orchestration of external suppliers, vendors, logistics, and transportation. Its fundamental mission resides in the identification, analysis, and mitigation of risks that emerge when an organization intertwines its operations with external entities.
On the other hand, software supply chain security constitutes a vigilant strategy aimed at apprehending and mitigating risks within software apps that are either custom developed or provided by a third party. Its multi-layered practice centers on the identification and management of vulnerabilities embedded in the technologies and processes in the software creation process.
In essence, its purview extends beyond the boundaries of code, encompassing protocols, regulations, training, and technology that collectively create an end-to-end, secure chain of custody.
This security ecosystem demands an acute awareness of third-party risk management (TPRM), which involves identifying, assessing, and controlling risks as a consequence of interactions with third parties. TPRM policies aim to ensure that third parties:
- adhere to regulatory requirements
- uphold ethical conduct
- safeguard sensitive data
- enhance the security of the supply chain
- foster a safe and productive work environment
- manage disruptions proficiently
- attain elevated standards of performance and quality
Strengthening software supply chain security through effective risk management solutions
Given the diverse nature of supply chains across different entities and the involvement of numerous organizations, a universally prescribed set of supply chain security guidelines or best practices has yet to crystallize. In light of this, we will delve into the core solutions essential for boosting software supply chain security.
1. In-depth defense strategy
An in-depth defense strategy stands as a cornerstone for enhancing overall supply chain security. The below arsenal of practices can stand as a shield against emerging threats:
- Conduct security strategy assessments while aligning with local laws and governance policies.
- Execute penetration and vulnerability testing on partners involved in data sharing.
- Implement authentication for all data transmissions and requestors.
- Employ permissions or role-based access controls for data management.
- Mandate minimum cybersecurity standards or specific best practice benchmarks for vendors and resellers.
- Engage certified third-party auditors to validate potential partners.
- Provide comprehensive training to employees to heighten awareness of changes and anomalies.
- Regularly scrutinize open source and vendor source code through audits.
- Constrict access and permissions of third-party programs.
- Employ network-level scanning, behavioral analysis, and intrusion detection for timely breach identification.
- Establish a responsive action plan for addressing identified threats promptly.
- Refer to relevant governmental guidelines and regulations tailored to any particular region.
These activities are commonly employed by our Security team in the projects we have been involved in. In our whitepaper “Exposing the weaknesses: The Benefits of Penetration Testing”, we divulge an example of how we discovered potential vulnerabilities through voluntary pentest exercises.
EXPOSING THE WEAKNESSES:
2. Incorporate Security into the Software development lifecycle (SDLC)
Secure Software Development Life Cycle (SSDLC), is a framework that integrates security practices into the traditional Software Development Life Cycle (SDLC). It includes security considerations and activities at every phase of the SDLC, from design and coding to testing and deployment.
The goal of SSDLC is to identify and mitigate security risks early in the development process, ensuring that the final software product is more resistant to vulnerabilities and threats. Working closely with development teams and our customers, our Security & Data Protection team has managed to implement the OWASP Software Assurance Maturity Model that offers a practical and quantifiable means to assess and enhance the software security stance.
In addition, during threat modeling exercises, we have analyzed and mitigated the risks associated with the software supply chain. In a threat modeling exercise, the supply chain is an essential aspect to consider, especially in modern software development practices that heavily rely on third-party components and dependencies. Also, we have generated and monitored all the dependencies our applications rely on, also called SBOM, which will be covered below.
3. Software Bill of Materials (SBOM)
SBOM is a detailed inventory that enumerates all the components, dependencies, and third-party software used in the creation of a software application, including open source libraries, frameworks, modules, and proprietary components. This inventory provides visibility into the underlying software's composition, the versions of the used assets, and potential vulnerabilities.
Software Bill of Materials can also be generated automatically using SCA - software composition analysis - solutions. SCA scans through the codebase to pinpoint open source libraries, frameworks, and other third-party software components, which are further compared against databases of known vulnerabilities and security issues. Businesses can take proactive measures, apply patches, updates, or alternative components that are more secure, and ensure compliance with licensing and legal requirements.
Zitec’s customers benefited from our Security support as we have implemented various scanners directly into the software development pipeline. These scanners are built on Gitlab or Azure DevOps, which in return, help us create a list of the project’s dependencies and their particular but critical details, including their known vulnerabilities.
SBOM empowers organizations to manage their software supply chain, assess security risks, and effectively respond to threats or licensing concerns. Depending on the SBOM process, there are several benefits that businesses can take advantage of:
- Facilitates the monitoring of application components for vulnerabilities within organizations
- Enables the creation of lists categorizing the approved and non-approved software components
- Assists organizations in recognizing and substituting components that are approaching the end of their operational lifespan
- Reduces the time invested by engineering and security teams in code identification and evaluation
- Empowers organizations to swiftly verify their vulnerability against recently disclosed security issues
- Assists teams in taking proactive measures to tackle challenges stemming from components nearing their end-of-life phase
- Facilitates precise evaluations of an organization's risk landscape and well-informed strategies for risk alleviation
Safeguarding the future by forging resilient paths in supply chain security
In a rapidly advancing era of digitization, the specter of supply chain attacks underscores the urgency of protecting each asset within the complexity of interconnected operations. Beyond being a mere security imperative, this endeavor has evolved into a mandate for fostering resilience in the face of relentless adversities.
Embracing security risk management measures emerges as the course of action for businesses navigating the landscape of software supply chain security. With threats diversifying and intensifying, the role of proactive risk management cannot be overstated. Responding to existing threats and anticipating vulnerabilities in partnership with external stakeholders become the bedrock of a robust and resilient supply chain.
As businesses march onward into an increasingly interconnected digital domain, Zitec’s practice of software security management serves as a strong defense against the disruptive factors that aim to undermine the foundation of trust and advancement.