It’s a race to secure the software supply chain. Have you tripped already?

It’s a race to secure the software supply chain.  Have you tripped already?

The digital world is becoming more complex and interconnected, and that is more evident than in software supply chains. Our ability to build on other software components means we innovate faster and create better products and services for everyone. But our reliance on third-party software and open source adds complexity to how we must defend digital infrastructure.

Our recent survey of cybersecurity professionals found that a third of respondents monitor less than 75% of their attack surface, and nearly 20% believe that more than half of their attack surface is unknown or unobservable. Log4Shell, Kaseya, and SolarWinds exposed how these statistics can manifest as devastating breaches with far-reaching consequences. Cybercriminals already know that supply chains are highly vulnerable to exploitation.

Why insecure software supply chains are everyone’s problem

Last year, a threat actor exploited a vulnerability in the Virtual System Administrator (VSA) provider Kaseya to inject REvil ransomware into the code for VSAs. Kaseya supported thousands of managed service providers (MSPs) and businesses, and his breach compromised a critical network within thousands of organizations. Consequently, the internal systems of these organizations were also compromised.

The ripple effect Kaseya had on its customers can happen to any organization using a third-party software vendor. the The European Union Cybersecurity Agency (ENISA) analyzed 24 recent attacks on the software supply chain and concluded that strong security protection is no longer enough. The report found that supply chain attacks increased in number and sophistication in 2020, continued in 2021, and according to recent attacks for Lapsus$, it is likely to last until 2022.

Similar to third-party software vendors, but to an even greater extent, open source code has a devastating impact on digital function if left unsafe: the havoc wrought by Log4Shell illustrates this. These consequences are due in part to the fact that open source software remains central to almost all modern digital infrastructures and all software supply chains. The average app uses over 500 open source components. However, the limited resources, training, and time available to maintainers who volunteer to support projects mean they have difficulty remediating vulnerabilities. These factors are likely to have contributed to high-risk open source vulnerabilities stay in code for years.

This problem demands immediate action. That is why the National Institute of Standards and Technology (NIST) released its safety guidelines in February. But why are we still so slow to try to secure the software supply chain effectively? Because it’s hard to know where to start. It’s challenging to keep up with security updates for your own software and new products, let alone keep an eye on other vendors to ensure they meet your organization’s standards. To add further complexity, many of the open source components that underpin the digital infrastructure lack adequate resources for project maintainers to keep these components completely secure.

Start

So how do we secure it? It all seems pretty daunting, but this is where you can start.

First, get your house in order and identify your attack resistance gap: the space between what organizations can defend and what they need to defend. Learn about your supply chain and implement strategies that set teams up for success:

  • Require a software bill of materials (SBOM) and maintain an accurate inventory of your organization’s software licenses so you know which vendors, programs, and networks could put you at risk. Open source software components are especially difficult to document; the Linux Foundation Y International Organization for Standardization (ISO)
    have resources to help organizations determine an approach to tracking and identifying open source for their SBOMs.
  • Get a clear understanding of how your software (current or future purchases) supports or otherwise relates to your critical processes. Knowledge of this relationship empowers security teams to make the business case for prioritizing security and better understanding which elements of the business will be put at risk depending on the vulnerable vendor or component.
  • Move ownership of software security to the earliest stages of development. Known as “shift left,” this makes developers aware of security standards, so the security and development teams collaborate to build secure products and reduce the number of patches that have already been deployed.

Then, enforce your strategies and standards to keep your organization and the collective Internet safe:

  • Evaluate each software vendor based on incident readiness and establish accountability. Including a supplier in your supply chain is an expression of trust, and you should only extend this trust when you believe that partner is worthy. Transparency throughout your organization and supply chain is key to excellent incident response. You can also use language from successful legacy programs for incident response and disclosure to inform guidelines.
  • Adopt a clear integrity framework and a detailed vendor onboarding process. The framework should include documentation on how each vendor’s software license supports their organization and the security tools they use internally.
  • Develop a strategy to improve security. of open source components and contribute to their safety through organizations dedicated to supporting the maintenance of the projects. Contributing to open source projects reduces risk to your organization and everyone who uses open source code.

Most of the cybersecurity community is familiar with Murphy’s Law: “Anything that can go wrong will go wrong” defines the mindset of anyone working in this field. And if my experience in this industry has taught me anything, you just have to do your best to keep up with the inevitable increase in the challenges, risks and complexity of protecting digital assets. Part of staying ahead of these challenges is staying highly proactive when it comes to your security best practices, and if you haven’t already adequately secured your software supply chain, you’re already behind. But even if you’ve gotten off to a false start, the good news is that it’s never too late to get back on your feet.

Leave a Comment