Software supply chain attacks and how to deal with them [Q&A]
Increased use of open source and third-party code leaves organizations open to more attacks on the software supply chain.
Open source vulnerabilities have become a prime target for attackers and organizations need to strengthen their defenses. We spoke to Richard Clark, senior solutions architect at JFrog, to discuss the importance of proactive measures in protecting against these threats.
BN: Why have software supply chains become such a target?
RC: Software permeates every area of an organization, across industries and geographies. In that sense, it is liquid and should flow like water. However, the current silos in software development create significant blind spots and heightened risks due to the fragmented tools and methods currently used to manage the software supply chain, plus an expanding open-source ecosystem.
In fact, industry research suggests 82 percent of open-source software components are 'inherently risky' due to a mix of vulnerabilities, security issues, code quality or maintainability concerns. Additionally, the same report shows that while more than 70 percent of software in the enterprise is open source, these elements often aren't tracked, maintained, updated or inventoried, leaving serious vulnerabilities in the software supply chain for threat actors to exploit. Hackers know that open source packages, and the developers who use them, are the golden ticket to security breaches. They tend to strike either by exploiting weaknesses introduced through CVEs (typically unintentional flaws by open source developers) or introducing their own malicious packages masquerading as safe open source components. Once an attacker is inside an organization, they often have a lot of lateral capabilities to wreak havoc on several other systems.
BN: How do faster release cycles impact this?
RC: In today's software-driven world, the mantra 'release fast or die' creates intense demand for software development and deployment speed. Developers need to juggle business requirements while security teams add layers of protection that can often create prolonged timelines to production.
Post-deployment fixes for binary vulnerabilities can cost millions of dollars. It's wiser to assess and solve security issues before deploying software, avoiding repercussions in the high-stakes runtime arena, but more often than not, faster release cycles remain the priority. By taking an end-to-end approach to software supply chain management companies can ensure security measures are infused at every stage of the software development process, enabling developers to move quickly from design to production and reduce the risk of faulty software going live.
BN: What techniques can organizations adopt to defend themselves?
RC: There are a few techniques and areas of focus organizations should adopt to better defend their software supply chains from attack, including:
- Diligent management and periodic updates of software and its dependencies to thwart emerging security threats.
- Thorough binary reviews to guarantee the authenticity and integrity of third-party components, thereby mitigating potential risks.
- Continuous monitoring and automated vulnerability scanning to ensure the proactive identification and remediation of security weaknesses.
- Seamless integration of security and governance processes into every stage of development workflows to thwart vulnerable software from ever reaching production.
By adhering to these fundamental considerations, organizations can bolster the reliability and resilience of their software, boost developer productivity, and safeguard digital ecosystems at large.
BN: Why are SBOMs such a key part of the process?
RC: Software Bills of Materials (SBOM) are crucial for securing the software supply chain because they provide transparency into the components that make up a software application, allowing organizations to easily identify potential vulnerabilities within their software by listing all the third-party libraries, dependencies, and versions used, enabling proactive risk management and rapid response to security issues within the supply chain. Having SBOMs allows organizations to revert their software updates to the most recent version that was not compromised, thus enabling continued business continuity. In addition, SBOMs can help to address compliance requirements and provide assurances to customers and partners that your business takes supply chain security seriously.
BN: How important is collaboration between developers and security teams to safeguarding projects?
RC: The software supply chain is an aggregation of all the people, processes, and technologies involved in producing or updating a piece of software. Common components include source code, third party code, open-source libraries, dependencies, toolchains, infrastructure, and more. The need for software supply chain security measures has grown in recent years due to increasing reliance on third-party components when building and deploying applications. Reuse of third-party resources, including open source components, can reduce the amount of code developers have to write from scratch. However, any security risks that exist within the external resources will become risks for the applications that use them.
The lack of security training for developers makes the issue even more challenging, particularly when AI-generated code, trained on potentially insecure open-source data, is not adequately screened for vulnerabilities. Unfortunately, once AI/ML models integrate such code, the potential for undetected exploits only increases, so developers must also function as security champions, meaning DevOps and security can no longer be considered separate functions.
Investment in regular security training and providing resources to help developers stay ahead of threats are crucial. Also, enhancing collaboration between development and security teams will ensure that security measures are seamlessly integrated, creating a solid defense against threats. Ultimately, embedding security at every stage of development is essential when building resilient and secure software.
Image credit: Acnalesky/Dreamstime.com