Software Supply Chain Security: Beware of the Upcoming SolarWinds
After recent massive cyberattacks like SolarWinds, which have focused on the software supply chain, software developers and vendors are rushing to test every software component in their supply chain.
A supply chain attack can have a ripple effect and dire consequences for your organization and your customers. Since the attackers are not resting, we know that the next attack is never far away.
How to avoid the next disaster? To be ahead of attackers, organizations must develop a supply chain security strategy.
Why Organizations Should Focus on Software Supply Chain Security
Last year we saw entire infrastructure shut down as a result of supply chain attacks. These types of attacks are quick and by the time you can react, the damage is done.
Supply chain attacks are very attractive to malicious actors because they offer the potential to exploit to the maximum with minimal effort. By finding the weakest link in a supply chain, an attacker can easily move around the network, infecting every customer down the line.
The success with SolarWinds, Microsoft and Colonial Pipeline encourages attackers to continue and shows that no one is safe from this type of attack. According to Eva Velasquez, CEO of the Identity Theft Resource Center (ITRC), supply chain attacks, among others, show a trend in which cybercriminals seek to exploit multiple organizations through a single point of attack. Their report found that 137 organizations reported an attack on their supply chains through third-party vendors.
Financially motivated criminals and state nations are leading this type of attack, and the trend is expected to intensify exponentially in 2021 according to a report by the European Union Cyber Security Agency (ENISA).
The report provides some worrying statistics regarding supply chain attacks:
- Between January 2020 and July 2021, 24 supply chain attacks were reported in Europe.
- 50% of attacks are attributed to known groups of advanced persistent threats.
- 62% of attacks come from a trusted provider.
- 58% of supply chain attacks aimed at gaining access to data
How to develop a strong software supply chain security strategy
Organizations need to put supply chain security attacks on the list of threats they need to protect against. Software development companies are particularly at risk. An attacker who compromises software due to an update can potentially compromise an entire network of customers and business associates.
Governments are planning new cybersecurity regulations. Biden’s administration is implementing executive orders to secure the software supply chain and make software nomenclature (SBOM) a mandatory requirement.
Here are four areas where organizations can increase awareness and visibility of software supply chain security:
Move security to the left
This approach involves integrating security testing into the development lifecycle. When applied to a DevOps environment, this approach is known as DevSecOps. This method produces faster and more secure development since security tests are performed before sending the software to production.
Taking the leap into DevSecOps can help developers find and fix vulnerabilities and exploitable errors early on. The downside to this approach is that developers often have to take care of security tasks in addition to their own.
Adopt the Zero Trust Architecture
The U.S. government executive order recommends that every migration to cloud technology adopt a zero trust architecture. It means implementing a security posture that involves compromise, modernizing capabilities for a proactive approach to detecting and responding to threats.
Use vulnerability detection tools
The rapid pace of DevSecOps requires securing the pipeline without slowing down. With new guidelines coming to support supply chain security, organizations must take advantage of automated tools.
Developers can use automated tools to detect malicious packages and new software supply chain security risks, such as dependency confusion vulnerabilities. Automation can also help organizations streamline processes such as creating software BOMs.
Include third parties in security policies
You need to research your supply chain and identify who your critical customers are. Assess their security maturity and demand that all systems be updated and patched. Buyers, on the other hand, need to identify critical technology vendors and demand a consistent patch policy. By involving all stakeholders in security strategies, you reduce the risk of weak links.
Develop a transparent software nomenclature
Understanding the components of your software is essential to preventing attacks. Because most of the software developed today contains open source components, you cannot have a transparent BOM if you cannot identify the origin of all of them. The software nomenclature is not only a requirement, but a necessary step to ensure the security of the software for you and for your customers.
Securing the software supply chain is the responsibility of all stakeholders
No one is safe from attack in the supply chain, from suppliers to the last distributor or customer. Preventing supply chain attacks requires a coordinated approach throughout the supply chain to improve their individual security posture. By integrating security as early as possible in the development process, securing the origin of the software and ensuring that there are no weak points in the chain, we can make the attacker’s tasks more difficult.
About the Author:
Daan Smit is a writer of Dutch origin who lives in Asia. Development of feature articles, global news and technology articles. His work explores issues related to business psychology, data science and cybersecurity.
Editorial Note: The views of the author are not necessarily those of iTWire.
INTRODUCING ITWIRE TV
iTWire TV offers unique value to the tech industry by providing a range of video interviews, news, views and reviews, and also provides the ability for vendors to promote your business and marketing messages.
We work with you to develop the message and conduct the product interview or review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it on the ITWire homepage, linked to your post.
Additionally, your maintenance post message can be displayed in up to 7 different post views on our iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.
We also provide 3 videos in one recording / session if you need them so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.
Get the latest tech news, views, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.
SEE WHAT’S ON ITWIRE TV NOW!