Monday, 23 August 2021 17:37

Software Supply Chain Security: Beware of the Next SolarWinds

By *Daan Smit

After the recent massive cyberattacks like SolarWinds, which focused on the software supply chain, software developers and vendors are rushing to test all software components on their supply chain.

A supply chain attack can have a ripple effect of disastrous consequences for your organization and your customers. Since attackers don’t rest, it is known that the next attack is never far.

How can you prevent the next disaster? To be ahead of attackers, organizations should develop a supply chain security strategy.

Why do organizations need to focus on software supply chain security?

This past year, we saw entire infrastructures stop as a result of supply chain attacks. These types of attacks are quick and by the time you can react, the damage is done.

Supply chain attacks are very attractive for malicious actors because they offer the opportunity for a maximum exploit with minimal effort. By finding the weakest link in a supply chain, an attacker can easily move through the network, infecting every client down the line.

The success achieved with SolarWinds, Microsoft, and Colonial Pipeline encourages attackers to continue and shows that nobody is immune to this type of attack. According to Eva Velasquez, CEO of the Identity Theft Resource Center (ITRC), supply chain attacks, among others, show a trend that cybercriminals look to exploit multiple organizations through a single point of attack. Their report found that 137 organizations reported an attack on their supply chains through third-party vendors.

Both financially motivated criminals and state nations carry on this type of attack, and the trend is expected to escalate exponentially in 2021 according to a report by the European Union Agency for Cybersecurity (ENISA).

The report brings some concerning statistics regarding supply chain attacks:

  • Between January 2020 and July 2021, 24 supply chain attacks were reported in Europe.
  • 50% of the attacks are attributed to known Advanced Persistent Threat groups.
  • 62% of attacks come via a trusted supplier.
  • 58% of supply chain attacks had the goal to gain access to data

Awords 2

Image source

How to develop a strong software supply chain security strategy

Organizations need to put supply chain security attacks on the list of threats they need to protect from. Software development companies are especially at risk. An attacker compromising a piece of software due to an update can potentially compromise an entire network of clients and business associates.

Governments are planning new cybersecurity regulations. Biden’s administration is implementing executive orders to secure the software supply chain and make the software bill of materials (SBOM) a mandatory requirement.

Here are four areas organizations can increase awareness and visibility into software supply chain security:

Shift security left

This approach involves baking security testing into the development lifecycle. When applied to a DevOps environment, this approach is known as DevSecOps.  This method produces a fast and more secure development since security testing is carried on before sending the software to production.

Taking the leap into DevSecOps can help developers detect and fix vulnerabilities and exploitable errors early on the line. The downside of this approach is that often developers need to take on security tasks on top of their own.

Adopt Zero Trust Architecture

The executive order from the U.S government recommends that every migration to cloud technology should adopt zero trust architecture. That means implementing a security posture that assumes compromise, modernizing the capabilities for a proactive threat detection and response approach.

Leverage tools for vulnerability detection

The fast pace of DevSecOps requires securing the pipeline without slowing down. With the new guidelines coming to support supply chain security, organizations need to leverage automated tools.

Developers can use automated tools to detect malicious packages and new software supply chain security risks, such as dependency confusion vulnerabilities. Automation can also help organizations streamline processes like the creation of software bills of materials.

Include third parties in security strategies

You should search along your supply chain and identify which are your critical clients. Assess their security maturity and require that all systems are updated and patched. Procurers, on their side, should identify critical technology vendors and demand a consistent patching policy. By involving all stakeholders in security strategies, you reduce the chance of weak links.

Develop a transparent Software Bill of Materials

Understanding the components of your software is key to preventing attacks. Because most software developed these days contains open source components, you cannot have a transparent bill of materials if you cannot identify the origin of all these. The software bill of materials is not only a requirement, but a necessary step to keep software secure for you and for your clients.

Securing the Software Supply Chain is a Matter of All Stakeholders

Nobody is immune to a supply chain attack, from vendors to the latest distributor or client. Preventing supply chain attacks requires a coordinated approach along the entire supply chain to improve their individual security posture. By integrating security as early as possible into the development process, securing the origin of the software, and ensuring there are no weak spots in the chain, we can make the attacker’s tasks more difficult.

 

About the author:

*Daan Smit is a Dutch-born writer who lives in Asia.  Developing feature articles, global news & technology pieces. His work explores issues related to business psychology, data science, and cyber security. 

Editorial Note: The opinions are the author's and are not necessarily the opinions of iTWire. 

Read 1363 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

ENABLING MICROSOFT TEAMS IN THE CONTACT CENTRE

If you're looking at enabling Microsoft Teams for your contact centre, you should bookmark this webinar.

Marketing budgets are now focused on Webinars combined with Lead Generation.

Our panellists from Whangarei District Council (NZ) and Maurice Blackburn Lawyers (Aus) were closely involved in recent projects to enable Microsoft Teams for their own contact centres.

They have kindly agreed to join Enghouse and Microsoft to talk about some of the things they would recommend as most critical for IT and CX professionals planning a Teams Contact Centre migration.

Date: 11 May 2022
Time: 12pm AEST | 2pm NZST | 10am SGT

We look forward to having you join us. Please click the button below to register.

REGISTER HERE!

SONICWALL 2022 CYBER THREAT REPORT

The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Ransomware
Cryptojacking
Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.

GET REPORT!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous