More than a year after the SolarWinds Sunburst attack and most companies are still exposed to software supply chain attacks.
In a study conducted by Argon Security at Aqua Security, it was found that the majority of companies didn’t implement software supply chain security measures and that most organizations are still at risk.
“Unfortunately, most security teams lack the resources, budget and knowledge to deal with supply chain attacks,” said Eran Orzel, head of Argon’s sales and customer teams. “Implementing strong security over the software supply chain takes time and organizations need to prioritize this now to be able to secure their process and application against the next attack wave.”
In the modern world, one of the hottest targets for cyberattacks are software development supply chains. When attackers launch a supply chain attack, they are throwing a wide net that could affect thousands of companies in a single attack. These attacks also have a big economic impact on the customer-vendor relationships of targeted companies that depend on their cloud security vendors and are trusting the software updates of their software vendors.
Closing the Gaps
The Argon study identified three primary areas of risk affecting software supply chain security posture. Closing these security gaps should be a top priority.
1. Vulnerable Packages: There are two attacks vectors that leverage open source packages. The first is exploiting existing vulnerabilities discovered in open source packages and leveraging them to execute the attack. (Example: The recent Log4j cyberattacks.) The second vector, package poisoning, is more proactive; the attacker takes control of a popular package/public repository and injects malicious code into the open source packages. Developers or pipeline tools then add it as part of the application build process. (Example: us-parser-js package poisoning.)