October 25, 2022 | Supply Chain Blogs
Software supply chains have become increasingly vulnerable. And most organizations are not prepared to handle such risks.
SolarWinds, Kaseya and several other supply chain attacks have led technology firms to rethink their security procedures.
The SolarWinds attack was massive and impacted thousands of enterprises as well as government agencies.
In 2020, hackers secretly gained access to the Texas-based software company’s computers and corrupted its software. Unknowingly including the hacked code in software updates, SolarWinds distributed them to its clients. Hackers utilized the code to open a backdoor into customers' IT systems, which they then used to spread more malware and snoop on businesses and organizations.
Up to 18,000 of SolarWinds' clients installed updates, the company informed the SEC, making them vulnerable to hackers.
Between February 2015 and June 2019, there were 216 software supply chain attacks. This number grew to 929 between July 2019 and May 2020.
But in 2021, there were around 12,000 attacks to software supply chains, an increase of 650% from the previous year. So, how can software companies deal with these attacks and boost security?
There is little doubt that digitizing the software supply chain can expedite application development.
However, it can also pose serious security risks by hiding them in upstream artifacts or making the process of risk mitigation for external resources more difficult.
A single corrupted off-the-shelf component can expose many enterprises to risk. Attackers now have more attack angles and are many degrees away from their intended targets thanks to the sharp and steady development of code reuse and cloud-native methodologies. A threat actor can go down the supply chain by taking advantage of just one vulnerability, which allows them to steal sensitive information, install malware, and take control of systems.
Most of the existing software projects are composed of pre-made components that are either open source, supplied by outside software suppliers, produced as proprietary bespoke code, or used in conjunction with external APIs.
No longer are development teams required to create the full tech stack or write every line of code. Instead, businesses can include already-existing third-party resources and concentrate their efforts on writing new code that sets them apart from their competition.
The first step is to understand the threat landscape by mapping out the software supply chain. Software supply chain comprises the components, processes, and procedures involved in the development and distribution of software. It covers developer practices and development tools, deployment techniques and infrastructure, interfaces and protocols, and third-party and proprietary code. It is the organization's responsibility to carry out security procedures and show consumers proof of their security efforts.
Conduct a security audit to determine who has access to data and what they are doing with this data. This is vital for third-party vendors who may have vulnerable security controls in place.
Engineering and risk management leaders should be familiar with the supply, demand and risk dynamics relating to third-party open-source ecosystems to speed up digital innovation without compromising quality or security. Open-source rules should be rigorously defined and automatically applied at every stage of the software supply chain.
Teams working on various applications must seamlessly communicate with one another, and data must be gathered from every tool in use. To link everything into a single system that provides useful analytics to the correct people where they need it, a holistic strategy might be applied. Any supply chain must meet this essential criterion; hence, creating specific integration management solutions is imperative.
Author: Steve Jose