Modern software projects consist of numerous components that originate from diverse sources, including open-source and commercial third-parties. Securing these projects and minimizing your attack surface is crucial to prevent threat actors from exploiting vulnerabilities in third-party components. However, the lengthy and complex set of connected components can make this a challenge.
What is the software supply chain?
The software supply chain is the sum of all software components, tools, and processes used during development to create a final software application. Each of these add another possible point of attack and determines your software attack surface and vulnerabilities.
Typical software supply chain components that must be secured include:
- Code libraries and frameworks acquired from open-source or third-party vendors. These libraries and frameworks may contain vulnerabilities that can be exploited by attackers. Such vulnerabilities could be introduced inadvertently by the library's author or deliberately by a malicious actor.
- Development tools used to create the software. It’s possible that the software development delivery toolchain could introduce risks and vulnerabilities when building and/or deploying an app.
- System build tools. If developers don’t fully understand what it is they’re packaging when compiling an app, it’s possible to include superfluous code that contains vulnerabilities or is malicious.
- Software dependencies, including code taken from open-source repositories or developed by a third-party supplier. As with the previous risks above, it’s possible that software deep in a chain of dependencies contains code that could be compromised by a malicious actor.
Ensuring the security of the software supply chain also entails:
- Implementing security best practices during every phase of software development, from application development through the CI/CD pipeline and ending with deployment
- Securing the underlying physical IT infrastructure, both cloud and in-house, used to host and run the application
- Securing the host operating system and software infrastructure that the application will run on
Why is the software supply chain important?
Most modern software products are not written from scratch; instead, they combine open-source components. According to Gitnux, 99% of new software projects rely on open-source components, and 78% of companies prefer open-source over proprietary software.
Open-source software can make the team’s job much easier, as it is typically free, easily customizable, and enables them to add rich functionality to their work quickly. However, your development team may use outdated code borrowed from other sources (mainly open-source) or incorporate unnecessary software libraries. This could create more attack vectors for hackers to exploit.
After incorporating the OSS component into their application, developers have limited control over how these components behave. This allows threat actors to exploit vulnerabilities in OSS components to conduct malicious actions, such as spreading malware or stealing sensitive data.
In addition to the security angle, the software supply chain has become very important because it:
- Risks are increasing exponentially.
- Enhances quality: Implementing an efficient software supply chain can help ensure that your software is thoroughly tested at every phase of the software development lifecycle (SDLC), reducing the likelihood of errors in your application.
- Meets compliance requirements: The software supply chain will reveal each component’s origin and supplier information and provide the necessary documentation for regulatory bodies. And tracking each component in the project will ensure it meets the relevant compliance requirements.
- Increases your organizational reputation: A robust software supply chain ensures your company produces high-quality software, which means fewer security risks and consequently increases customer trust and retention with your service.
- Defends against cyberattacks: Secure applications free of vulnerabilities are much more challenging for threat actors to exploit.
Common risks to software supply chain security
The notorious SolarWinds supply chain attack distributed malware to thousands of suppliers and government agencies worldwide. As our dependence on technology increases, we can expect more cyberattacks against software supply chains. The most notable risks to the software supply chain are:
- Direct attacks against the supply chain: Threat actors may attack your organization's software supply chain directly by injecting malicious code or viruses into your application's software components. Attackers may also target the hardware infrastructure distributed within the supply chain to distribute malicious code, such as stealing malware or ransomware.
- Human errors: Regardless of the type and quality of security solutions and access controls in your IT environment, humans remain the weakest link in any cybersecurity defense strategy. For example, if a developer clicks a phishing link in a malicious email, they may introduce malware to not only their own ecosystem, but that of partner organizations as well.
- Misconfiguration risks: Developers and testers may make errors that threat actors can exploit. For example, developers may hardcode their access credentials in the application source code (for testing purposes) and forget to remove them after production.
- Third-party dependencies: This is the most common type of risk. Using vulnerable components from open-source or other third-party providers will make your application vulnerable to cyberattacks if these components are designed with weak security.
- Counterfeit components: Threat actors may hide their malicious code within the hardware infrastructure used in the supply chain networks to gain unauthorized access to internal networks.
- Lack of visibility: GitHub projects have an average of 700 open-source dependencies. Tracking all these components in your application is challenging, making it difficult to identify potential vulnerabilities.
- Weak security policies: Vendors and third-party suppliers may not have the same level of security as your organization. This means they may be more vulnerable to cyberattacks. If one of your suppliers is infected with malware, it could spread to your organization's systems.
It is essential to have complete supply chain risk management in place to mitigate these risks and ensure the security of your software systems.
Ways to ensure software supply chain security
There are many different techniques, best practices, and management oversight that can be used to secure your software supply chain. This section discusses them in more detail.
Use code signing
Code signing verifies the authenticity and integrity of software components by ensuring they are free from tampering. Code signing uses the developer or software component vendor's private cryptographic key to sign the component or code library and attach this signature to the code package. Anyone can use the developer's corresponding public key to verify the component source and ensure it has not been tampered with by comparing the software’s expected signature to what’s generated on the component.
Source code verification
Source code verification is the process of inspecting an application's source code to ensure it is free of errors or bugs that can result in security vulnerabilities or other defects. This allows development teams to create more secure, higher-quality software that complies with industry regulations (e.g. HIPPA and PCI DSS).
Source code verification can be performed manually by developers or using automated tools.
Supply chain mapping (SBOMs)
Supply chain mapping, also known as a Software Bill of Materials (SBOM), is a record of all software components (e.g. code libraries and modules) that make up software applications. It should list every component used in the application and hold information about it, such as:
- Component name, version, and license
- Vendor name and contact information
- Transitive dependencies of the component
- List of security vulnerabilities for each component and its associated mitigation information
SBOMs are critical elements in software supply chain risk management because they:
- Improve visibility by providing a list of all software components used to build a software application
- Identify security vulnerabilities associated with using some components
- Help organizations meet compliance requirements by identifying each software component source and supplier information
Vendor risk management
Vendor risk management (VRM) helps organizations gain visibility over risks originating from external service providers, IT suppliers, and any third party with access to organization-sensitive information. VRM becomes critical for any organization's cyber defense because third-party providers significantly impact an organization's security posture.
An efficient VRM solution or practice provides the following benefits to your business:
- Improves visibility over your entire third-party supply chain ecosystem
- Identifies emerging risks more efficiently and speeds up the response process to protect your assets
- Improves collaboration across your third-parties supply chains
Implementing secure development practices
Secure development practice is a methodology commonly used by DevOps development teams to incorporate security into each phase of the SDLC. Organizations should leverage secure development best practices, such as:
- Code review
- Threat modeling
- Implementing a secure software development policy
- Using a secure software development framework (e.g. OWASP)
Implementing secure development practices allows development teams to discover security vulnerabilities during the early development of software systems. It also makes a big difference in the overall time and effort costs of securing these software systems.
Removing unused components
Using containers in software development projects has become widespread. Gartner estimates that by 2026, "90% of global organizations will be running containerized applications in production."
Software container images can contain outdated code taken from various sources, including open-source code, or include unnecessary software libraries. This practice has three significant disadvantages. First, it raises the likelihood of vulnerabilities in the container image. Second, it expands the attack surface of the container host. Finally, it exposes the underlying host infrastructure to various security threats.
RapidFort’s Software Attack Surface Management (SASM) platform identifies all components running in a container and automatically eliminates those not currently in use. By doing so, RapidFort can remediate any vulnerabilities associated with these unused components.
Importance of collaboration
Organizations do not work in isolation, and securing the software supply chain requires collaborations between governments, industry, and software vendors to achieve the desired results.
Role of industry (tech and OSS)
The tech and open-source software (OSS) industries have their role in protecting the software supply chain through:
- Implementing best security practices when designing open-source components
- Promoting secure coding practices and standards in software development projects
- Implementing technical measures to detect supply chain attacks early through code singing and SBOM
Role of software vendors
Software vendors are responsible for creating and integrating software components (including open-source components) into their final product or application. Their role in protecting the supply chain includes:
- Implementing secure development practices
- Performing regular security testing and vulnerability assessment on their software components before publishing them
- Developing a comprehensive vulnerability management program to track all dependencies and discover security vulnerabilities before they get exploited by threat actors
Real-world software supply chain attacks
Several supply chain attacks have targeted high-profile organizations in recent years. This shows the importance of securing your software supply chain from cyberattacks. Here are three examples:
- SolarWinds: The 2020 attack infected around 18,000 companies, including USA federal agencies with malware
- Codecov: The 2021 attack exposed sensitive customer information, such as account credentials and source code
- Kaseya: The 2021 attack compromised the Kaseya remote management and monitoring software hundreds of managed service providers (MSPs) used to manage their clients' systems. Attackers use the Kaseya solution to distribute ransomware to hundreds of client organizations worldwide
Software supply chain security should be a top priority for CISOs, DevOps teams, and software engineers in any organization that develops, distributes, or uses software. RapidFort’s feature-rich vulnerability management solution enables organizations to scan their software infrastructure, gain a deep understanding of their attack surface, and automatically eliminate unused code. The result? A 60-90% reduction in vulnerabilities—instantly.
Ready to see it for yourself? Book a demo with the RapidFort team today.