Mitigating Intentional and Unintentional Risks in Software Supply Chains

October 16, 2023

There’s been increasing concerns over software supply risks the last couple of years. However, concern about inadequacies of software suppliers’ capabilities to build and deliver secure software isn’t new.

 

In the late 2000s, the U.S. Department of Homeland Security’s Build Security In initiative had a working group that I co-chaired on this topic. The intent of the working group — which included representatives from industry, academia and government — was to help acquirers buy software that was more resistant to attack, had fewer vulnerabilities and minimized operational risks to the greatest extent possible. Looking back on my 2007 presentation, you can see things haven’t changed much, though the use of open-source software (OSS) has exploded since then.

 

Image
Mitigating Intentional and Unintentional Risks in Software Supply Chain_img1.png

 

While cybersecurity practitioners like me tried to address software supply chain risks in the past, we honestly didn’t get much traction. What we lacked were significant, highly publicized, triggering events to motivate change in the software buyer’s behavior. That’s changed due to some significant supply chain-based attacks and zero-day vulnerabilities. A great example of why the issue can no longer be ignored is the SolarWinds Sunburst attack.

 

The SolarWinds attack was strategic. With over 75% of the Fortune 1000 as customers, attacking a company like SolarWinds, in turn, took out not only them but impacted the thousands of customers that used their system. Often overlooked software tools and systems that, if attacked, could have a major impact on an employee or client base.

 

So, how are decision makers reacting? Research from Pulse showed that 29% view securing their software supply chain as a very high priority, whereas 42% believe that OSS is the primary entry point for attackers.

 

This reuse of code has major benefits for the software industry, reducing development time and costs and allowing developers to add functionality faster. However, it also generates major vulnerability management problems due to the complex system of dependencies that are often hard to track. If these software artifacts are consumed without proper security vetting, the developers are unintentionally introducing risks to their software.

 

As a result, developers can be unintentional insiders by consuming insecure OSS components or libraries. Vetting OSS with manual methods doesn’t scale to keep pace with development. You need transparency and an automated method to assess risk of these components. This enables development teams to continue to use OSS but do so safely and at the velocity they need.

 

External threats, like the Sunburst threat actor, target the intentional injection of malicious code into dependencies. The attacker targets a software supplier, but the attack affects its customers.

 

 

A report by the European Union Agency for Cybersecurity formally defined the four key characteristics present in a supply chain attack to include:

 

  1. Attack techniques used to compromise the supplier: Exploiting software or a configuration vulnerability, brute-forcing credentials or social engineering
  2. Supplier assets targeted in the attack

    • If the target is software code, the idea is to get the customer to download and execute this code.
    • If the target is data, then this data can be used in phishing attacks. If the data is a private key, it could be used to create digital certificates in a man-in-the-middle attack.
  3. Attack techniques used to compromise the customer: When downloading malicious code through an automatic software update, the attack is exploiting a previously established trust relationship.
  4. Customer assets targeted in the attack: This is the main target of the attack. It includes stealing and modifying data, performing money transfers or sending spam.

 

It’s understandable as to why securing software supply chains is one of the trends that we continue to see as a driver in application security.

 

Given the increase in intentional and unintentional threats to the supply chain, development management should establish governance practices that help ensure that software supplied to their customers isn’t a conduit for malicious or vulnerable code. Many organizations are establishing formal cyber supply chain risk management (C-SCRM) programs to manage and measure OSS component and software supply chain risks.

 

A new driver to create C-SCRM programs is in the Rev5 of the U.S FedRAMP program requirements. Rev5 calls for implementing a SCRM process that involves scrutinizing vendors and sources of hardware, software and firmware to ensure that counterfeits and adulterated products are not used in the CSP’s cloud system. I think we are going to see other regulatory bodies start pushing for greater risk management in software (and other) supply chains, so we need to be prepared.

 

Follow these links for more information on ways to understand and protect against supply chain attacks:

 

Stan Wisseman
Chief Security Strategist for North America | OpenText
Stan Wisseman leads the Security Strategist team for OpenText Cybersecurity in North America. Stan has over 30 years of cybersecurity experience and has built security into products, systems, software, and enterprises. Prior to joining OpenText (formerly HP) in 2014, Stan served as the Chief Information Security Officer for Fannie Mae with responsibilities for information security and business resiliency across the organization. With regards to AppSec, Stan started the NoVA OWASP chapter, co-chaired the acquisition security working group for the DHS Build-Security-In initiative, led Software Security consulting practices, and helped start the application security program at Fannie Mae. A frequent speaker and author, Wisseman also co-hosts the Reimagining Cyber podcast, which explores the next generation of thinking on where cybersecurity is heading.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.