With a steady increase in the usage of open-source software by enterprises, software ecosystems are exposed to third-party software components that leave them vulnerable to attacks. Since these components are non-proprietary, cybercriminals exploit their design flaws to infiltrate internal systems and compromise the entire supply chain, giving rise to what is known as a supply chain cyber attack. These attacks are remarkable in their scope, sophistication, and impact.
The past year saw a number of high-profile supply chain attacks that illuminated how the cybersecurity landscape continues to evolve and grow more dangerous. This revelation points to the fact that there needs to be more effective ways to prevent supply chain cyber-attacks, perhaps, by enhancing the software supply chain security. So, let’s look into some best practices to do so.
1. Vendor transparency
A supply chain has components from multiple vendors which means multiple pathways for a malicious code to enter the internal system. Therefore, organizations need to make sure that they are carefully vetting all vendors before introducing any new components into their CI/CD pipeline. Since a supply chain could have a multitude of vendors, vetting every single one of them can get cumbersome. So to make this process easier, organizations can create a standardized set of principles and use reputable suppliers. In addition to this, it is of paramount importance that an organization know about the architecture of every tool that goes into their software so as to fix vulnerable design flaws before they are targeted. And the onus of relaying this information lies with the vendors who need to maintain a level of complete transparency.
2. Security as code
Even after careful vetting of vendors and taking other security practices into consideration, there are ways that malicious actors can exploit certain vulnerabilities to infiltrate a supply chain. This is where Security as Code (SaC) comes into the picture as it enables building security right into the CI/CD pipeline. Embedding security right at the development stage helps secure the entire deployment process from commit to release. Making security a significant part of the software development workflow helps identify vulnerable parts and introduce security measures proactively. The best way to introduce security into a code is by choosing a security tool that enables transparency across the entire supply chain, enforces continuous security at all stages of the software development process, and automates validity checks at every release.
3. Reduce dependency confusion attacks
Dependency confusion, aka “namesake confusion”, is a flaw in the way software development tools pull third-party components from private and public repositories. In a dependency confusion attack, anyone can be tricked into installing a malicious dependency instead of the one they intended to install. The malware is introduced into a network by overriding private-use packages with malicious public packages with the same name but a higher version number. And by default, many tools download and execute higher version number packages thus installing malicious components unknowingly.
Since a supply chain ecosystem consists of various open-source dependencies that are constantly pulled, this design flaw is ideal for attackers to exploit and enter the internal systems. The best way to avoid dependency attacks is by using scoped packages that lock the namespace of a package so that it can be mapped to a specific user thus eliminating the possibility of substitution. Additionally, updating the libraries only when required, introducing package reviewing, and establishing strict dependency management practices can further help reduce dependency attacks.
4. Establish an integrated risk strategy
A software supply chain is a large, complicated system consisting of multiple steps involving multiple vendors. Hence, it’s impractical to think that it will ever be completely secure. This is precisely why it’s smart to have a risk strategy in place in order to recover when all security practices fail and there is a successful infiltration. A risk strategy involves conducting a risk level assessment and establishing a recovery plan.
A risk level assessment is done based on a supplier’s software vulnerabilities and an organization’s security measures. As discussed above, it’s important to have complete vendor transparency to ensure the legitimacy of any new component being introduced into a company’s trusted network. When it comes to organizations, there needs to be a security assessment that helps them gauge their security posture and evaluate the level of risk.
Having a well thought out recovery plan is the key to smart risk management. There needs to be a reliable backup reservoir so that any data is not lost after a breach or a malicious attack. This can be done in quite a few ways but the most interesting one in the market right now is “backup-as-a-service”. This is a service provided by a few vendors which help organizations create a secure backup of their data in the cloud.
Software development is a constantly evolving ecosystem with new attack vectors being discovered regularly. When these vectors are combined with a complex system like that of a supply chain, the chances of risk multiply by a hundred. Hence, it is paramount to have a well-thought and well-laid security plan to secure the software supply chain. Additionally, since most risks are outwardly and unavoidable at some point, it is smart for organizations to educate their employees. Employees, especially developers should have an understanding of the risks and the precautions to take in order to ensure a secure software supply chain.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.