GUEST OPINION by Lawrence Crowther, Head of Solutions Engineering, Snyk: Software supply chain attacks have accelerated in recent years, aiming to hit organisations’ developer environments.
There have been regular instances of successful attacks, including Kaseya’s hack in July 2021 after an attacker was able to bypass its authentication method and inject malicious code, or the SolarWinds attack in December 2020, impacting 18,000 customers after an attacker exploited a vulnerability in its IT management software. In fact, these major attacks just seem to be the tip of the iceberg, with Gartner predicting that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
Why are threat actors increasingly interested in targeting this environment?
The software supply chain is the sum of all activities required by an organisation to build, produce and distribute software. It can be compared with manufacturing supply chains where, traditionally, a variety of activities transform raw materials into finished products.
In comparison, in the software supply chain, development processes transform code and other 3rd party components into software, and involving development teams, tools, and processes for building, packaging, and deploying the application, and the infrastructure used to run it.
Modern software development has made the software supply chain more complex than it was only a few years ago, and therefore harder to protect. This growing complexity is due to growing consumer expectations for better products and apps, the rapid evolution of technology opening new possibilities especially around cloud technologies, the move towards CI/CD and DevOps practices, or the increased use of external services when building software.
As organisations build up their security posture, the software development and distribution channels may lack sufficient protection to match the rest of the network. Therefore, infecting software in these stages of the life cycle with malicous code increases the chances of going undetected, thus, successfully infiltrating the network. These changes and trends have resulted in extremely complex software supply chains that provide malicious actors a larger target to attack.
Building a framework for software supply chain security
Because this space is constantly evolving and is very much an active field of research, there are various frameworks for software supply chain security being proposed. However, here are the three main pillars organisations should focus on to strengthen its software supply chain security.
1. Secure your code
As the raw material and key ingredient used in the software supply chain, code integrity should be one of the fundamental steps in tightening software supply chain security, whether it is developed in-house or pulled from an external source.
Because it is core to the process, it is also the hardest one to secure, and there are numerous considerations for organisations looking at securing their code. They include identifying vulnerabilities in open source packages, securing containers, building and maintaining a Software Bills of Materials (SBOM), detecting flaws in customer code, or using infrastructure as code (IaC). Using tools that can deliver Software Composition Analysis (SCA), Source Code Analysis (SAST) or IaC security are options security leaders can look at to reinforce their code security postures. You should also consider securing your 3rd party apps that other vendors provide you. This can be done by a new an emgering standards for SBOM such as SPDX and CycloneDX to inspect the hidden vulnerabilties within those products.
2. Secure your pipelines
Development workflows or pipelines represent the different tools, processes, and methodologies that transform raw materials i.e. code into a product. Software supply chain attacks often target this stage, leveraging the fact that it can give cybercriminals access to customer resources and sensitive data.
In the software supply chain, the build process or assembly line is responsible for compiling various codes into a software build. The complexity of this stage can enable malicious actors to weasel their way through required authentication and compromise the integrity of a build pipeline. For example, in October 2021, GitHub discovered that attackers had used GitHub Actions to bypass required review and push unreviewed and malicious code to a protected branch. This has since been fixed but highlights the importance of securing pipelines and the careful examination of the tools and infrastructure used.
Source code management systems (SCM) are another key link in the software supply chain that attract attackers. Because it acts as the central hub for the software development cycle, if an attacker is able to infiltrate this, they can gain access to the software source code, modify configurations, inject malicious code, hijack credentials, or even provision vulnerable infrastructure. Modern SCMs provide specialised features and configuration settings such as access policy controls and branch protection that can be leveraged to harden security. These mechanisms are not always enabled by default and must be explicitly set.
3. DevSecOps
Development, Security, and Operations – also known as DevSecOps – refers to the integration of security practices across the entire IT lifecycle based on the cultural foundation that it is a shared responsibility to deliver secure software. Although there are historical challenges in establishing this culture among development teams, they include many benefits that organisations should try to display over and over again to achieve a true DevSecOps approach.
These include faster delivery, decreased costs, and a stronger security posture, all participating to an overall greater business success. The key elements of the model align well with a software supply chain securit framework, such as integrating security as early as possible during and throughout software development, and automating security testing and validation to minimise human error. In the context of software supply chain security, DevSecOps also reduces the likelihood of an attacker compromising a development pipeline.
Conclusion
Supply chain attacks are very much an evolving phenomenon, as are the guidelines to help mitigate the threat. However, security leaders need to understand the core pillars that can help strengthen the security framework of a software supply chain to build a business’ resilience and work with other stakeholders in the software development process to ensure the foundations are addressed.
