A supply chain we all partake in is the water we drink. Whether you drink the water from the tap or from a bottle, do you really have awareness of where the water is coming from or what is in it? Perhaps not. 

We have the same issue with software. Do we really understand software’s lineage or pedigree and the inherent risks of the software we are introducing to our enterprises?

In December 2021, researchers disclosed a critical vulnerability in Apache Log4J 2, a popular library for logging errors and run-time information. Unlike vulnerabilities in applications, however, the Log4J flaw affected software whose developers did not explicitly include the component in their application. 

Research by Google at the time found more than 35,800 codebases, or artifacts, on the popular Maven repository affected by the vulnerability— more than 8%, compared to a median of 0.1% for the average advisory. In addition, the average Log4J import occurred five dependencies down, meaning the component included a library that included a library that included a library that included a library that used Log4J 2. 

Such vulnerabilities—and the attacks that follow—are unfortunately not uncommon. Approximately two years earlier, nation-state actors compromised the development and deployment pipeline of network-management software provider SolarWinds, creating a backdoor in a software update that some 18,000 customers—including US government agencies— downloaded. The intelligence agency behind the hack used the foothold in those networks to compromise at least 250 networks at high-value targets. 

These two attacks represent two facets of the software supply chain security: Vulnerabilities in the components used to build applications, and attacks against the software and service providers that have privileged access to clients’ information. Developers who use components without auditing their security run the risk of creating vulnerabilities in their own software and propagating attacks through the ecosystem. 

Ensuring that software is free from known vulnerabilities requires a multi-prong strategy to lock down the components that make up your software supply chain. Companies need to trust the components and libraries used to create their own applications, track the provenance of code through the supply chain, understand their suppliers’ security processes, and conduct regular behavioral analysis on running software to make sure that the code is not behaving maliciously. 

Fortify offers a couple of solutions to ensure you are not leaving the backdoor open in your code for attackers. The first solution is Sonatype, which delivers enterprise-grade results for open source security. Fortify + Sonatype gives you visibility into your open-source risk with an integrated platform that combines static analysis (SAST) and software composition analysis (SCA) into a single platform, giving you a consolidated view of your application's vulnerabilities. Sonatype uses AI and machine learning, along with human curation, to detect 70% more vulnerabilities than the National Vulnerability Database alone. You can automate open-source governance at scale across the entire SDLC, shifting security left within development and build stages. A great thing about Sonatype’s solution is how much time you can save investigating known issues in open source while reducing false positives with susceptibility analysis. 

The second solution is Debricked, offering open source intelligence and security powered by state-of-the-art machine learning for faster, more precise results. Take full control of open-source security, compliance, and community health with solutions that will revolutionize the way you use open source. With a UI that developers love, it makes it easy to increase the efficiency of your software development lifecycle. You can also ensure open-source compliance with automated pipeline rules and generate a software bill of materials (SBOM). The best part about Debricked is you can try it out with a highly touted free trial to see for yourself how seamlessly it integrates. 

Supply chain attacks have increased since 2018, but with the right approach, you can stay one step ahead of would-be attackers. By embracing a culture of cybersecurity and employing the right processes and tools, you will create the foundation of a secure software supply chain. The world runs on open-source code, but if you have visibility across third-party software components, you won’t be left questioning the integrity of your software’s lineage. 

More About Fortify

CyberRes Fortify delivers software resilience for modern development with a holistic, inclusive, and extensible application security platform from a trusted partner that supports today’s enterprises. This comprehensive suite of products brings holistic security and visibility to developers, AppSec professionals and key stakeholders with automated integrations for any tool, anywhere in the SDLC and a robust set of capabilities available on premise, cloud-hosted, or as a managed service.

Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum.  Keep up with the latest Tips & Info about Application Security. We would love to hear your thoughts on this blog. Log in or register to comment below.