Several of the most significant and notorious cyberattacks in the last decade resulted from a breakdown in security within the software supply chain. While SolarWinds stands out as the most famous example, it was not the only one. Attacks on companies like Equifax and tools such as MOVEit also caused chaos for both organizations and customers, leading to the compromise of sensitive information.
There is an anticipation of witnessing a rise in software supply chain attacks. As per the report “The State of Software Supply Chain Security 2024” by ReversingLabs, these attacks are becoming more prevalent and easier to carry out.
“For instance, Operation Brainleeches, which ReversingLabs identified in July, displayed traits of software supply chain attacks that support generic phishing attempts using malicious email attachments to collect logins for Microsoft.com,” mentioned the report.
The escalation in software supply chain attacks is attributed to their increased simplicity. The ReversingLabs report revealed a 1,300% surge in threats originating from open-source package repositories last year. That’s the distressing part of the story.
Fortunately, both cybersecurity teams and governmental bodies have acknowledged the threats posed by the software supply chain. Consequently, there is significant effort being directed towards defending against these attacks and reinforcing security measures before software is released into the market.
Who holds authority over the software?
According to Xin Qiu, Sr., Director of Security Product Marketing and Management at CommScope, determining who controls the software and the device represents a pivotal aspect of software supply chain security. This focus narrows down to developers and system engineers designing the software and establishing the systems. The dilemma arises from the lack of collaboration within organizations, hindering effective control.
Companies possess numerous tools; however, these tools are scattered across different departments, leading to siloed operations. This framework necessitates a transformation.
The jurisdiction primarily spearheading the efforts in enhancing software supply chain security is the federal government through technical regulations and legislations.
“To boost your software supply chain security, adhering to a universal standard is imperative,” mentioned Qiu. “I believe this approach effectively bridges existing gaps.”
Noteworthy actions taken by governmental bodies include the Executive Order (EO) by the Biden administration, emphasizing the nation’s cybersecurity with a particular emphasis on safeguarding the software supply chain. In parallel to this EO, a cross-industry coalition representing various government agencies, known as the Enduring Security Framework (ESF) Software Supply Chain Working Panel, developed a detailed guide outlining recommended security practices in the software supply chain for developers. Additionally, NIST has devised a framework to fortify the software supply chain.
Four emerging trends in security solutions for the software supply chain
While governmental guidelines and regulations play a significant role, organizations must equip themselves with tools, solutions, and processes empowering developers, engineers, and IT security teams to address risks within the software supply chain. Various ideas and tools, some initiated by the government, are gaining traction in the battle against vulnerabilities and threats.
1. Embedding security into the core
At RSAC2024, CISA Director Jen Easterly and a group of cybersecurity experts discussed CISA’s initiative of Embedding Security into the Core. This concept entails integrating security into products, making it a fundamental business aspect and essential technical requirement rather than treating security as an afterthought. Companies are encouraged to implement Secure by Design principles during the product’s design phase to significantly reduce exploitable vulnerabilities before the product’s widespread use.
During the event, the initial cohort of businesses that committed to the Embedding Security into the Core initiative was introduced. Participating in this pledge entails a genuine effort from software manufacturers to work towards outlined goals over the following year. These objectives include implementing standards like MFA, eliminating default passwords, and enhancing transparency regarding vulnerability disclosure and reporting. Over 200 organizations have pledged their commitment so far.
Discover how cybersecurity influences supply chain resilience
2. Documentation of software components
Software Bill of Materials (SBOMs) serves as an intricate listing of all components constituting a software application. These components encompass open-source elements, third-party contributions, patch statuses, and licensing details. SBOMs have become an integral part of the software supply chain security setup and are endorsed by CISA as a means for developers to establish collaborative initiatives for sharing ideas and experiences in areas like scaling, operations, technology, tools, and practical applications.
SBOMs assist organizations in identifying risks, particularly in third-party and proprietary software packages. They aid in tracking vulnerabilities across distinct components, ensuring compliance, and enabling better security decision-making by enhancing awareness of software’s individual parts.
3. Securities guidelines for software artifacts
The Security Levels for Software Artifacts (SLSA) framework is designed to uphold the integrity of software components. As a checklist of standards, SLSA aims to elevate the overall integrity of software, prevent tampering and exploitation, and maintain the security of infrastructure and application packages. This structured framework, rooted in Google’s production workflows, provides a systematic approach to evaluating the security posture of software components throughout the supply chain.
4. Governance, risk, and compliance (GRC) oversight
GRC management is employed to mitigate security risks in software development supply chains while ensuring compliance with mandated regulations and security benchmarks. GRC monitoring encompasses various areas such as:
- Identifying risks across the entire software supply chain
- Evaluating vendor risks and assessing third-party security stances before integrating their software into the organization’s system
- Managing compliance to meet industry and government standards
- Enforcing policies across the development lifecycle
- Implementing incident response strategies post a cybersecurity event triggered by the software supply chain
GRC management tools can be seamlessly integrated with SBOM analysis.
The unfolding challenges of securing the software supply chain
This serves as merely a glimpse into the array of tools and solutions utilized to shield the software supply chain from risks. By consciously embedding security into software development and fostering collaborative information-sharing among developers and engineers, rather than operating in isolation, there exists a tangible opportunity to mitigate threats directed at the software supply chain.