How should companies manage the risks associated with attacks in the software supply chain?


Software supply chain attacks are becoming more prevalent as cybercriminals continue to find ways to wreak havoc on organizations. In fact, research from the NCC Group has shown that cyberattacks against supply chains have increased by 51% over the past six months.

However, the study also showed that only 53% of respondents felt that their company and its suppliers were equally responsible for supply chain security. Lack of accountability and ownership could not only lead to these organizations being targeted, but also face regulatory penalties.

For example, the EU’s Digital Operational Resilience Act (DORA) requires financial entities to include key security requirements in their contracts with third parties, indicating that regulators are increasingly focusing on the role of the organization in managing supplier risk.

What makes an attack on the software supply chain even more concerning is that the lack of visibility could not only disrupt the organization, but almost every process and other organization connected to it.

Another survey also showed that 64% of organizations agree that an attack on their software development environment is unstoppable. 71% also admitted that their organizations had suffered data loss or compromised assets as a result of successful software supply chain attacks.

For example, some technology companies are already working on improving the software supply chain. This includes Google, which recently revealed plans to work with GitHub to create a tamper-proof method for signing source code as part of its ongoing efforts to better secure software supply chains.

According to Google’s Open Source Security Team, many of the recent high-profile software attacks that alarmed open source users around the world were consequences of supply chain integrity vulnerabilities. This means attackers have taken over a build server to use malicious source files, inject malicious artifacts into a compromised build platform, and bypass trusted builders to download malicious artifacts.

“Each of these attacks could have been prevented if there was a way to detect that the delivered artifacts diverged from the expected origin of the software. But until now, it has been difficult to generate verifiable information describing where, when, and how software artifacts were produced (information known as provenance). This information allows users to verifiably trace artifacts back to source and develop risk-based policies regarding what they consume,” the Google Open Source Security Team said.

For Tim Mackey, senior security strategist at Synopsys Cybersecurity Research Centre, software supply chains are complex entities often comprising hundreds of “vendors” per application. He explained that each vendor, or dependency as it is also called, represents a vector for the entry of software into an organization. Mackey said software is often subject to vendor risk management review before purchase, but for some software, such as open source software or SDKs, there is no explicit vendor versus to perform a risk assessment.

Mackey pointed out that this is in part due to vendor selection decision-making in an open source context made by developers who are measured more by their ability to implement features quickly rather than by their skill set. risk mitigation or compliance reviews.

Mackey added that given the complexity of software supply chains and the growing focus on them within the enterprise, it is reasonable to expect cybercriminals to attempt to disrupt business operations. by targeting the supply chains that feed the business.

“Addressing the risks present in software supply chains begins with recognizing that a traditional vendor-centric view of vendor validation is insufficient to accurately describe the risks requiring mitigation. Instead, mitigation strategies should be tailored to each of the potential methods for software to enter an enterprise where process threats are identified well in advance of any requirement to mitigate vulnerabilities or remediate a cyber -incident,” Mackey commented.


Comments are closed.