Software supply chain attacks and how to deal with them [Q&A]
Software supply chain attacks have increasingly made the headlines in recent years. They occur when attackers change the code in third-party software components in order to compromise the applications using them.
These attacks can be used to steal data, corrupt systems or move laterally through networks. We spoke to Ansh Patnaik, chief product officer at CyCognito, to learn more about this type of attack and how to combat it.
BN: Could you explain why software supply chain attacks have become such a prominent threat in recent years?
AP: Absolutely. Software supply chain attacks have increasingly moved from the periphery of concerns to the forefront due to their sheer impact and the growing complexity of the software ecosystems. According to Verizon's 2024 Data Breach Investigations Report, there was a staggering 180 percent surge in breaches initiated by exploiting vulnerabilities compared to 2022. What's even more alarming is that 15 percent of these breaches involved third parties or suppliers, such as those in the software supply chains, hosting partner infrastructures, or data custodians.
This trend isn't surprising when you consider the high-profile vulnerabilities we've seen in recent years. For example, the SolarWinds attack impacted over 18,000 organizations and reportedly cost the affected companies an average of 11 percent of their revenue. Similarly, Okta experienced a significant breach where threat actors accessed private customer data through its support management system, going undetected for weeks despite existing security alerts. The drawn-out MOVEit Transfer tool attack, which affected over 620 organizations, including major entities like BBC and British Airways, further emphasizes the urgency of promptly patching vulnerabilities and securing web-facing applications.
BN: Can you define what software supply chain security is?
AP: Software Supply Chain Security, or SSCS, is a framework designed to mitigate potential attacks on software by ensuring that all processes and tools involved in curating, creating, and consuming software are secure. Gartner defines SSCS as encompassing three core pillars:
- Curation: This involves evaluating third-party software components to assess their risks and determine if they're suitable for use. This step ensures that only secure and compliant components make their way into the software supply chain.
- Creation: This pillar emphasizes the importance of secure development practices and protecting both software artifacts and the development pipeline. It involves implementing security measures throughout the software creation process to guard against vulnerabilities and potential threats.
- Consumption: This stage focuses on ensuring the integrity of the software by verifying its source, authenticity, and traceability. It ensures that the software being deployed is secure and hasn’t been tampered with or modified without authorization.
In simpler terms, SSCS is about securing all the software components used and built within an organization, as well as the practices developers employ to write and monitor code post-deployment.
BN: What are some best practices organizations should follow to build a robust security program to protect from these threats?
AP: Building a robust security program to protect against software supply chain threats involves several key practices:
- Continuous Code Scanning: It’s crucial to implement continuous code scanning throughout the Software Development Life Cycle (SDLC). This helps catch vulnerabilities early by using both static and dynamic application security testing (SAST and DAST) to ensure that both proprietary and third-party code are secure.
- Automated SDLC: Maintaining a highly automated SDLC is essential for efficiently updating, testing, and deploying new software versions. Automation reduces human error and speeds up the identification and remediation of vulnerabilities.
- Source Code Analysis (SCA): Scanning third-party code with SCA tools is critical. These tools automate the detection and management of risks associated with third-party and open-source software components. SCA tools can:
- Identify all the software components within an application.
- Generate Software Bills of Materials (SBOM) to help organizations comply with regulatory requirements and manage open-source licenses.
- Scan for known vulnerabilities in software components, providing alerts and guidance for remediation.
- Assess the risk level of each component to prioritize remediation efforts based on severity.
- Generate dependency graphs to identify potential points of failure or risk.
- Provide actionable remediation guidance.
- Automatically enforce policies to block the use of components with known vulnerabilities or license issues.
BN: With the growing reliance on third-party services, how does external exposure management factor into a comprehensive supply chain security strategy?
AP: Organizations are increasingly relying on third-party services, networks, and cloud-based applications. Their ecosystems are composed of interconnected systems, often accessed via APIs, that create a vast surface area for potential attacks. Without comprehensive visibility into all these assets, security teams face a significant challenge in protecting what matters most. This is where exposure management comes into play.
Effective external exposure management starts with knowing exactly what you have and ensuring that every asset is classified into meaningful business groups. This allows you to align your risk priorities and remediation workflows effectively. Continuous and active risk assessment is crucial -- it enables the identification of weak spots that could be exploited by attackers at any time. By maintaining an up-to-date inventory and regularly assessing exposure, organizations can act swiftly in case of an incident, minimizing damage and recovery time.
Staying compliant with regulations that mandate specific types of controls requires organizations to maintain this visibility, thereby avoiding costly penalties. In essence, external exposure management isn't just about knowing what’s out there; it’s about ensuring that your organization can protect its most critical assets continuously and comprehensively.
BN: What does the future hold for software supply chain security, and what steps should organizations take moving forward?
AP: The future of software supply chain security is one of increasing urgency and growing financial impact. Gartner projects that the financial consequences of supply chain attacks will escalate from $40 billion in 2023 to $138 billion by 2031. This underscores the critical need for organizations to act now.
Moving forward, the key first step is awareness. Understanding the threat landscape is as important as taking steps toward prevention. Once awareness is established, there are ample resources and technologies available to equip security teams with the tools they need to protect their ecosystems.
Continuous monitoring, regular updates, and proactive management of both internal and external threats will be essential in mitigating the risks associated with software supply chain attacks. Organizations that prioritize these steps will be better positioned to defend against the increasingly sophisticated and pervasive threats on the horizon.
Image credit: Acnalesky/Dreamstime.com