The first trend cited in our recently released 2022 AppSec Trends report is Securing the Software Supply Chain. However, concern about inadequacies of software suppliers’ capabilities to build/deliver secure software isn’t new.
In the late 2000’s the US Department of Homeland Security’s (DHS) Build Security In initiative had a working group that I co-chaired on this topic. The intent of the working group (which included representatives from industry, academia, and government) was to help acquirers buy software that was more resistant to attack, had fewer vulnerabilities, and minimized operational risks to the greatest extent possible. If you scan through this presentation I did back in 2007, you can see that things haven’t changed much, though the use of open-source software (OSS) has exploded since then.
While we’ve tried to address software supply chain risks in the past, we honestly didn’t get much traction. What we lacked were significant, highly publicized, triggering events to motivate change in the software buyer’s behavior. Well, that’s changed due to some significant supply chain-based attacks and Zero-day vulnerabilities. A great example of why the issue can no longer be ignored was the SolarWinds Sunburst attack. Software Development Security
The SolarWinds attack was strategic. With over 75% of the Fortune 1000 as customers, attacking a company like SolarWinds, in turn, took out not only them, but impacted the thousands of customers that used their system. Often overlooked software tools and systems that, if attacked, could have a major impact on an employee or customer base.
So how are decision-makers reacting? Research from Pulse showed that 29% view securing their software supply chain as a very high priority, whereas 42% believe that OSS is the primary entry point for attackers.
This reuse of code has major benefits for the software industry, reducing development time and costs and allowing developers to add functionality faster, but it also generates major vulnerability management problems due to the complex system of dependencies that are often hard to track. If these software artifacts are consumed without proper security vetting, the developers are unintentionally introducing risks to their software.
As a result, developers can be unintentional insiders by consuming insecure OSS components or libraries. Vetting OSS with manual methods doesn’t scale to keep pace with development. You need transparency and an automated method to assess risk of these components and you can get a 360-degree view of app risk with Fortify. This enables dev teams to continue to use OSS but do so safely and at the velocity they need.
External threats, like the Sunburst threat actor, target the intentional injection of malicious code into dependencies. The attacker targets a software supplier, but the attack affects its customer.
Source: Software Supply Chain Attacks, Part 1
In a recent report by European Union Agency for Cybersecurity (ENISA) they formally defined the four key characteristics present in a supply chain attack to include:
1. Attack techniques used to compromise the supplier - exploiting software or a configuration vulnerability, brute-forcing credentials, or social engineering
2. Supplier assets targeted in the attack
-If the target is software code, the idea is to get the customer to download and execute this code.
-If the target is data, then this data can be used in phishing attacks. If the data is a private key, it could be used to create digital certificates in a man-in-the-middle attack.
3. Attack techniques used to compromise the customer - When downloading malicious code through an automatic software update, the attack is exploiting a previously established trust relationship.
4. Customer assets targeted in the attack - This is the main target of the attack. It includes e.g., stealing and modifying data, performing money transfers, or sending spam.
It’s understandable as to why securing software supply chains is one of the 2022 trends that we are seeing in application security. Given the increase in intentional and unintentional threats to the supply chain, development management should establish governance practices that help ensure that software supplied to their customers isn’t a conduit for malicious or vulnerable code. Otherwise, the fragile trust relationships they have with their customers could be significantly impacted, like it was for Solarwinds. Many organizations are establishing formal cyber supply chain risk management (C-SCRM) programs to manage and measure OSS component and software supply chain risks. Automation to support C-SCRM processes will be key to success.
- AppSec Trend report Hub.
- Securing the Software Supply Chain
- The AppSec Trend Report webinar series (note, you can register for all four Webinars from same registration site):
- The first Webinar on Wednesday is on the AppSec trends report in general.
- The 2nd Webinar on 29 June is specifically on Securing the Software Supply Chain.
- Fortify: Trust the Future of Your Software Supply Chain
- Fortify Unplugged Video: Securing the Software Supply Chain Playlist
- New AppSec 101 video: What is the Software Supply Chain
- Debricked & CyberRes: Helping Companies Use Open Source Better and Safer
- Software Supply Chain Attacks, Part 1: Defining and Understanding the Attack