Securing The Software Supply Chain

Software supply chain attacks are becoming more frequent and sophisticated. Malicious actors have realized just how potent zero-day vulnerabilities and infamous third-party libraries can be. Securing the supply chain can be very challenging, as zero-day vulnerabilities in open-source and/or third-party software can stay undetected for years. How do you protect against something that perhaps exists, but you can’t see yet?

Challenges in securing the software supply chain

A CTO said that a significant security challenge is prioritizing risks and finding the time to address them at the code level and across the supply chain. Bringing everyone on the same page regarding potential threats and remediation is not an easy task.

Another challenge faced by multiple participants was the lack of visibility. How do you secure something that you can’t see? Unless you try to reverse engineer, how do you identify what modules/packages a third-party solution uses internally?

An information security director mentioned cloud transformation and securing third-party software as their biggest challenge. Their teams find it hard to stay on top of cloud security controls and avoid misconfigurations. Whenever a vulnerability is discovered in third-party software, they have to chase down all their vendors to ensure they have applied the relevant patches.

An attendee pointed out that lack of ownership is also a problem. Yes, supply chain risks are there, but who is responsible for mitigating them? Should there be a new AppSec or DevSecOps team? Or should DevOps be entrusted with the responsibility?

Supply chain attacks are trending

An executive remarked that malicious actors are focusing more and more on supply chain attacks because of the widespread attack surface. A vulnerability in a commonly used library may affect millions of different software worldwide. These vulnerabilities, if left unpatched, can allow cybercriminals to compromise entire infrastructures. Even something as trivial as a logging library (log4J) can cause the whole IT world to go into a frenzy.

There is cyber … and then there’s ransomware

A participant shared that they have refocused all their security efforts towards formulating a ransomware recovery plan. Ransomware attacks are arguably the worst kind, as they can cause irreparable damage to the infrastructure, forcing the victim companies to rebuild affected systems from scratch. They have added a fair amount of detection and prevention capabilities, but their main focus is finding out the most efficient way of rebuilding their systems— in case the worst happens.  

Which software supply chain phase is the most important?

Various executives agreed that identifying vulnerabilities and risks has become a lot easier now. Many tools can help detect anomalous or malicious behavior. With that said, you can never identify “all of it.” Zero-day vulnerabilities will always exist, waiting for someone to unravel and exploit them. That’s why you need to focus more on the recovery phase. Your executives, developers, testers, and production engineers must know how to respond to cyberattacks effectively. Everyone should know their responsibilities. Tabletop exercises can help in this regard.

One attendee contended that quick discovery and response should be the primary focus. There are tools that can scan for known vulnerabilities across all your projects and instantly apply necessary protection/patches for them. Harden your applications and actively scan your network for malicious behavior. While having a recovery plan is very important, the primary priority should always be early detection and prevention.

‍