AppSec Trends – Securing the Software Supply chain
The first trend cited in our recently released 2022 AppSec Trends report is Securing the Software Supply Chain. However, concern about inadequacies of software suppliers’ capabilities to build/deliver secure software isn’t new.
In the late 2000’s the US Department of Homeland Security’s (DHS) Build Security In initiative had a working group that I co-chaired on this topic. The intent of the working group (which included representatives from industry, academia, and government) was to help acquirers buy software that was more resistant to attack, had fewer vulnerabilities, and minimised operational risks to the greatest extent possible. If you scan through this presentation I did back in 2007, you can see that things haven’t changed much, though the use of open-source software (OSS) has exploded since then.
While we’ve tried to address software supply chain risks in the past, we honestly didn’t get much traction. What we lacked were significant, highly publicised, triggering events to motivate change in the software buyer’s behaviour. Well, that’s changed due to some significant supply chain-based attacks and Zero-day vulnerabilities. A great example of why the issue can no longer be ignored was the SolarWinds Sunburst attack. Software Development Security.
The SolarWinds attack was strategic. With over 75% of the Fortune 1000 as customers, attacking a company like SolarWinds, in turn, took out not only them, but impacted the thousands of customers that used their system. Often overlooked software tools and systems that, if attacked, could have a major impact on an employee or customer base.
So how are decision-makers reacting? Research from Pulse showed that 29% view securing their software supply chain as a very high priority, whereas 42% believe that OSS is the primary entry point for attackers.
This reuse of code has major benefits for the software industry, reducing development time and costs and allowing developers to add functionality faster, but it also generates major vulnerability management problems due to the complex system of dependencies that are often hard to track. If these software artefacts are consumed without proper security vetting, the developers are unintentionally introducing risks to their software.
As a result, developers can be unintentional insiders by consuming insecure OSS components or libraries. Vetting OSS with manual methods doesn’t scale to keep pace with development. You need transparency and an automated method to assess risk of these components and you can get a 360-degree view of app risk with Fortify. This enables dev teams to continue to use OSS but do so safely and at the velocity they need.
External threats, like the Sunburst threat actor, target the intentional injection of malicious code into dependencies. The attacker targets a software supplier, but the attack affects its customer.
Source: Software Supply Chain Attacks, Part 1
In a recent report by European Union Agency for Cybersecurity (ENISA) they formally defined the four key characteristics present in a supply chain attack to include:
1. Attack techniques used to compromise the supplier - exploiting software or a configuration vulnerability, brute-forcing credentials, or social engineering
2. Supplier assets targeted in the attack
-
If the target is software code, the idea is to get the customer to download and execute this code.
-
If the target is data, then this data can be used in phishing attacks. If the data is a private key, it could be used to create digital certificates in a man-in-the-middle attack.
3. Attack techniques used to compromise the customer - When downloading malicious code through an automatic software update, the attack is exploiting a previously established trust relationship.
4. Customer assets targeted in the attack - This is the main target of the attack. It includes e.g., stealing and modifying data, performing money transfers, or sending spam.
It’s understandable as to why securing software supply chains is one of the 2022 trends that we are seeing in application security. Given the increase in intentional and unintentional threats to the supply chain, development management should establish governance practices that help ensure that software supplied to their customers isn’t a conduit for malicious or vulnerable code. Otherwise, the fragile trust relationships they have with their customers could be significantly impacted, like it was for Solarwinds. Many organisations are establishing formal cyber supply chain risk management (C-SCRM) programs to manage and measure OSS component and software supply chain risks. Automation to support C-SCRM processes will be key to success.