Software development, platform technology, and delivery pipelines are mission-critical elements in every modern enterprise and also a place for security incidents. Increased velocity and the removal of manual steps through automation create additional risks.
The Open Web Application Security Project (OWASP) notes the threat of using components with known vulnerabilities as one of the top risks in software development.
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs developed with vulnerable components, undermine application defenses, and enable various attacks and impacts.
Other industries have understood the need to manage risk along the supply chain. Documenting the origin of raw materials, testing the quality of supplied materials, and overall ensuring the integrity of their supply chains. Examples are the medical, automotive, aerospace, and mechanical engineering industries.
Let’s look at the traditional supply chain security of the cargo industry where the threats are terrorism, theft, and piracy.
Activities to protect the supply chain in this industry include:
- Credentialing of participants in the supply chain
- Screening and validating the contents of cargo being shipped
- Advance notification of the contents to the destination country
- Ensuring the security of cargo while in transit via the use of locks and tamper-proof seals
- Real-time tracking of the cargo while in transit via GPS
- Inspecting cargo on entry
Comparing those efforts with the care being taken for the software supply chain in even big companies, illustrates the gap. Attackers have shifted their focus from operating systems and networks directly to applications and they don’t care how the weakness got there in the first place.
Opportunities
The “Ain’t nobody got time for software supply chain security” attitude is widespread. There is a lot of pressure on delivery, and security is often an afterthought. Instead, customer growth, agility, and product delivery are the key performance indicators.
It’s important to explain to non-technical decision-makers the importance of risk reduction in the supply chain of the software product. Leaking data and industrial espionage are just two of many threats to companies with unchecked or weak software supply chain security.
Attack vectors
Malicious Commits to Open-Source Projects
A software project consists of up to 90% of open source components, nowadays. Modern software development relies on large communities of open source developers to deliver building blocks for the company’s own software product.
There are no enforced code reviews, commit right reviews, or background checks on developers in open source. Companies need to perform due diligence on the third-party software they choose to use.
Malicious code has been found in:
- GitHub
- docker hub
- maven repository
- npm
- pypi
Outdated libraries, modules, and images
Another vector is the lack of tracking for software component versions. While third-party libraries with weaknesses are disclosed and updated, it’s frightening to know that most utilizing software of the components is not updated. Known CVEs (Common Vulnerabilities and Exposures) have been found in more than 50% of companies. The microservice architecture is counterproductive. Small specialized services are developed once and then left deserted for months.
Supplier failure
Today IT companies and startups are very specialized on a core business model and outsource to SaaS providers or insource specialifzed software. This is understandable from an efficiency and financial perspective. One doesn’t need to reinvent the wheel. But this also means that the vendors’ security becomes the security of their own company. Data breaches happen even with the big players. (Github, Typeform). This exposes data and user accounts without having done anything wrong.
After a breach at a third-party supplier, companies often struggle to determine if they are impacted and what data is affected. Proper supplier management and a software bills of material (SBOM) are super helpful in such situations.
Typosquatting
A typosquat is the act of taking a popular framework or library, adding malicious code, and uploading it to a package repository under a name that is very similar to the original.
Researchers have found hundreds of such typosquatting packages in repositories for all major programming languages.
Ok, what now?
- Companies have to understand how their respective software supply chain is structured.
- Pipelines and Systems need to be documented and governed.
- Software Composition Analysis (SCA) describes an automated process that identifies software in a codebase. This inventory can then be checked against vulnerability databases. Examples are the free (OWASP dependency check or the commercial Jfrog X-Ray).
- Access to public repositories has to be restricted and monitored. Local repositories or proxies are preferred.
- Vetting of components and base images is required.
- Third-party software and partners have to undergo a vetting process and their software supply security needs to be verified. Due diligence of partners must involve a security assessment.
- Ingress and egress traffic monitoring needs to be performed on a per-host basis.
- Documentation of vendors and the data that is shared with them is a must.
- Deployments have to be monitored and the code change requires reference to the source code changes.
- The technical debt of your partner is your technical debt!
- Strong security controls need to be implemented across the supply chain.
- Detected vulnerabilities require swift remediation or whitelisting by experts as not applicable to the use case.
- Strengthen your QA specialists!
The most important action is to raise awareness with managers and decision-makers. A data leak, prolonged downtime, or a company breach can bring an end to all the ambitious growth goals company founders have. IT companies need to step up their game. We owe it to our customers.