Software development, platform technology, and delivery pipelines are mission-critical elements in every modern enterprise and a place for security incidents. Increased velocity and the removal of manual steps by automation create additional risks.
The Open Web Application Security Project (OWASP) views the threat of using components with known vulnerabilities as one of the top risks in software development.
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Other industries have understood the need to manage risk along the supply chain. Documenting the origin of raw materials, testing the quality of supplied materials and overall ensuring the integrity of their supply chains. Examples are the medical, automotive, aerospace and mechanical engineering industry.
Let’s look at the traditional supply chain security of the cargo industry where the threats are terrorism, theft and, piracy.
Activities to protect the supply chain in this industry include:
- Credentialing of participants in the supply chain
- Screening and validating of the contents of cargo being shipped
- Advance notification of the contents to the destination country
- Ensuring the security of cargo while in-transit via the use of locks and tamper-proof seals
- Real-time tracking of the cargo while in-transit via GPS
- Inspecting cargo on entry
Comparing those efforts with the care being taken for the software supply chain in even big companies, illustrates the gap. Attackers have shifted their focus from operating systems and networks directly to applications and they don’t care how the weakness got there in the first place.
Excuses are plenty - Opportunities are rare
Especially in the startup industry, there is a lot of pressure for delivery and security is often a afterthought. Instead customer growth, agility, automation or product delivery are the key performance indicators.
The “Ain’t nobody got time for software supply chain security” attitude has been observed in the fintech and even medtech industry. Everybody takes security serious unless it collides with the mentioned above KPIs. It’s important to explain to non-technical decision makers the importance of risk reduction in the supply chain of the software product. Leaking data and industrial espionage are just two of many threats to companies with unchecked or weak software supply chain security.
injecting malicious code in public repositories for common libraries, modules, and images
A software project consists nowadays of up to 90% of open source components and only 10% of custom code. Modern software development relies on large communities of open source developers to deliver building blocks for the companies own software product. I believe open source being superior to closed source software but companies have to understand that they can’t outsource their own risk to open source development teams and repositories.
There are no enforced code reviews, commit right reviews or background checks on developers in open source. Companies need to start taking responsibility for the third party software they use.
Malicious code has been found in:
- maven repository
outdated libraries, modules, and images
Another vector is the lack of tracking for software component versions. While third-party libraries with weaknesses are disclosed and updated, it’s frightening to know that most utilizing software of the components is not updated. Known CVEs (Common Vulnerabilities and Exposures) have been found in more than 50% of companies. The microservice architecture is counterproductive. Small specialized services are developed once and then left deserted for months.
third party failure
Today IT companies and startups are very specialized on a core business model and outsource to SaaS providers or insource specialized software. This is understandable from an efficiency and financial perspective. One doesn’t need to reinvent the wheel. But this also means that the vendors’ security becomes the security of their own company. Data breaches happen even with the big players. (Github, Typeform). This exposes data and user accounts without having done anything wrong.
After a breach companies struggle to determine the impact and the affected data. Remediation actions are delayed or wrongly planned.
Ok, what now?
- Companies have to understand how their respective software supply chain is structured.
- Pipelines and Systems need to be documented and governed.
- Code components should be scanned during deployment against common vulnerabilities (OWASP dependency check, Jfrog X-Ray).
- Access to public repositories has to be restricted and monitored. Local repositories or proxies are preferred.
- Vetting of components and base images is required.
- Software and component versions require documentation and automatic checks against CVE databases.
- Third party software and partners have to be checked and their own software supply security needs to be verified. Due diligence of partners must involve a security assessment. A good name or reference is not enough.
- Ingress and egress traffic monitoring needs to be performed on a per-host basis.
- Documentation of vendors and the data that is shared with them is a must.
- Deployments have to be monitored and the code change requires reference to the source code changes.
- The technical debt of your partner is your technical debt!
- Strong security controls need to be implemented across the supply chain.
- Detected vulnerabilities require swift remediation or whitelisting by experts as not applicable for the use case.
- Strengthen your QA specialists!
The most important action is to raise awareness with managers and decision makers. A data leak, prolonged downtime or a company breach can bring an end to all the ambitious growth goals company founders have. IT companies need to step up their game. We owe it to our customers.