How secure is your software supply chain?

How to effectively protect your software supply chains from cyber attacks

Software supply chains have become a dangerous vulnerability in organizations and may allow attackers to penetrate internal networks. Although the risk is high, organizations can still take action to protect themselves and prevent attacks through this supply chain vulnerability.

For a long time, only a few specialists were interested in security risks posed by the supply chain, particularly software supply chains. After the cyber attack on the IT security company FireEye at the end of 2020, many IT managers got a resounding wake-up call. During this incident, attackers were able to penetrate the company’s systems via an automated patch management system. Before this occurrence, the same attackers had compromised the Orion platform of the IT service specialist SolarWinds. The Sunburst vulnerability, as it was named, was therefore not directly caused by FireEye, but through its software supplier, which had not detected and closed the exploited vulnerability in time.

It is expected that 18,000 of the approximate 35,000 companies and authorities that worked with the Orion platform at the time fell victim to this attack. But even two years after, still nobody knows how much damage was really caused. This is because contemporary software is a complex ecosystem that hardly anyone can keep track of, but this is not without reason. The days when small teams or freelancers were able to develop an application on their own and bring it to market are long gone. Instead, programmers today often rely on external frameworks, libraries, and other third-party components to implement certain functions with less effort.

Third-party software increases attack trajectories

Although software development today would be unthinkable without third party components, the software supply chain poses considerably high risks and increases attack trajectories. Almost every application used in organizations today depends in some way on other components. Many first became aware of this critical situation when the security vulnerability in the logging software Log4j was reported. The news hit like a bomb. Many experts feared catastrophic effects on the Internet. Thankfully, things didn't get too bad at first, although many administrators still had their hands full.

In many cases, nobody knew exactly where Log4j was used. The software was not only used directly in integrated components, but it was also used in sub-components and their dependencies. In recent years, many organizations have allowed software and services to proliferate wildly, which is now becoming a very serious problem. The zero-day exploit in Log4j code takes advantage of this situation and in more dire situations it can be misused to execute foreign code on the affected system. Effects of vulnerabilities like these can be devastating and can lead to data breaches where confidential information is stolen. Not to mention that attackers could also stealthily manipulate or delete data, inject malware or ransomware and harvest computing power to mine cryptocurrencies.

Affected companies of this attack include major cloud providers such as Amazon Web Services (AWS), Apple’s iCloud services, and the Steam gaming platform. It doesn’t bear thinking about what could have happened if these services had been exploited to distribute manipulated updates. Unfortunately, this was the case with SolarWinds. However, once again, the full extent of damages caused by the Log4j vulnerability, even just in relation to this incident cannot yet be estimated. Security experts assume that in many cases the vulnerability was used to secretly install a back door, which eventually could be used to facilitate attacks when the coast is clear.

A “Bill of Materials” for software could reveal vulnerable versions

The incidents mentioned so far are only the tip of the iceberg. Concerningly, the Federal Office for Information Security (BSI) points out in its report “The Situation of IT Security in Germany 2021” (PDF) that, “Many manufacturers can only determine with a great deal of effort which libraries and other third-party software are used in their products”. However, such in-depth analysis would take a lot of time and effort.

To make software dependencies and the software supply chain more transparent, an international team of experts are working on standards for a “Software Bill of Materials” (SBOM). This would provide a full list of dependencies for a specific software product that could be used to efficiently check whether a known vulnerability affects a specific product.

Although companies and end customers would benefit primarily from an SBOM, the BSI also points out the benefits to software manufacturers. They would have to, “check whether a vulnerable software component is used in their supply chain”. Then, if a vulnerability is discovered, software manufacturers would be able to take swift and suitable action. The BSI report raises the potential for this process to be automated in the scope of the Common Security Advisory Framework (CSAF).

A Bill of Materials is already mandatory for US authorities

The United States is already further down the road than others, for SBOMs must be submitted by all software vendors who wish to sell their products to US authorities, according  to a White House Executive Order issued in May 2021. Anchore, a software manufacturer that specializes in software supply chain security, reports that one in three suppliers wants to meet these same requirements this year as well. This undertaking would probably have a positive effect on the situation in other countries too.

Since Anchore found that 62 percent of companies surveyed in 2021 had been victims of a supply chain attack in its 2022 Software Supply Chain Security Report (PDF), the company believes that SBOMs are a “critical component in the security of software supply chains”. This is because a bill of materials for software gives full details of all software components and is essential for understanding vulnerabilities and risks in the supply chain. It’s safe to say that we can no longer do without it.

Let’s sum up

All kinds of organizations now have an increased need for security due to potential vulnerabilities in the software supply chain. NCP is here to help. “We offer the consistency and quality that can be expected of a software manufacturer.  With our own development team based in Nuremberg, Germany , we are able to provide a trusted, independently developed software basis for secure communications, even in the event of future changes in world affairs,” says Patrick Oliver Graf, CEO & Managing Director at NCP. If you have any questions, please get in touch with us.