A supply chain attack can have a ripple effect of disastrous consequences for your organization and your customers. Since attackers don’t rest, it is known that the next attack is never far.
How can you prevent the next disaster? To be ahead of attackers, organizations should develop a supply chain security strategy.
Why do organizations need to focus on software supply chain security?
This past year, we saw entire infrastructures stop as a result of supply chain attacks. These types of attacks are quick and by the time you can react, the damage is done.
Supply chain attacks are very attractive for malicious actors because they offer the opportunity for a maximum exploit with minimal effort. By finding the weakest link in a supply chain, an attacker can easily move through the network, infecting every client down the line.
The success achieved with SolarWinds, Microsoft, and Colonial Pipeline encourages attackers to continue and shows that nobody is immune to this type of attack. According to Eva Velasquez, CEO of the Identity Theft Resource Center (ITRC), supply chain attacks, among others, show a trend that cybercriminals look to exploit multiple organizations through a single point of attack. Their report found that 137 organizations reported an attack on their supply chains through third-party vendors.
Both financially motivated criminals and state nations carry on this type of attack, and the trend is expected to escalate exponentially in 2021 according to a report by the European Union Agency for Cybersecurity (ENISA).
The report brings some concerning statistics regarding supply chain attacks:
- Between January 2020 and July 2021, 24 supply chain attacks were reported in Europe.
- 50% of the attacks are attributed to known Advanced Persistent Threat groups.
- 62% of attacks come via a trusted supplier.
- 58% of supply chain attacks had the goal to gain access to data
How to develop a strong software supply chain security strategy
Organizations need to put supply chain security attacks on the list of threats they need to protect from. Software development companies are especially at risk. An attacker compromising a piece of software due to an update can potentially compromise an entire network of clients and business associates.
Governments are planning new cybersecurity regulations. Biden’s administration is implementing executive orders to secure the software supply chain and make the software bill of materials (SBOM) a mandatory requirement.
Here are four areas organizations can increase awareness and visibility into software supply chain security:
Shift security left
This approach involves baking security testing into the development lifecycle. When applied to a DevOps environment, this approach is known as DevSecOps. This method produces a fast and more secure development since security testing is carried on before sending the software to production.
Taking the leap into DevSecOps can help developers detect and fix vulnerabilities and exploitable errors early on the line. The downside of this approach is that often developers need to take on security tasks on top of their own.
Adopt Zero Trust Architecture
The executive order from the U.S government recommends that every migration to cloud technology should adopt zero trust architecture. That means implementing a security posture that assumes compromise, modernizing the capabilities for a proactive threat detection and response approach.
Leverage tools for vulnerability detection
The fast pace of DevSecOps requires securing the pipeline without slowing down. With the new guidelines coming to support supply chain security, organizations need to leverage automated tools.
Developers can use automated tools to detect malicious packages and new software supply chain security risks, such as dependency confusion vulnerabilities. Automation can also help organizations streamline processes like the creation of software bills of materials.
Include third parties in security strategies
You should search along your supply chain and identify which are your critical clients. Assess their security maturity and require that all systems are updated and patched. Procurers, on their side, should identify critical technology vendors and demand a consistent patching policy. By involving all stakeholders in security strategies, you reduce the chance of weak links.
Develop a transparent Software Bill of Materials
Understanding the components of your software is key to preventing attacks. Because most software developed these days contains open source components, you cannot have a transparent bill of materials if you cannot identify the origin of all these. The software bill of materials is not only a requirement, but a necessary step to keep software secure for you and for your clients.
Securing the Software Supply Chain is a Matter of All Stakeholders
Nobody is immune to a supply chain attack, from vendors to the latest distributor or client. Preventing supply chain attacks requires a coordinated approach along the entire supply chain to improve their individual security posture. By integrating security as early as possible into the development process, securing the origin of the software, and ensuring there are no weak spots in the chain, we can make the attacker’s tasks more difficult.
About the author:
*Daan Smit is a Dutch-born writer who lives in Asia. Developing feature articles, global news & technology pieces. His work explores issues related to business psychology, data science, and cyber security.
Editorial Note: The opinions are the author's and are not necessarily the opinions of iTWire.