Whether proprietary or outsourced, software development has evolved into a nuanced matter when it comes to security. A single line of faulty code lurking in a library or framework can expose the entire organizational environment to attack. Unsurprisingly, threat actors increasingly exploit software supply chain gaps to infiltrate enterprise networks.
Click for more special coverage
A recent report by Sonatype found that 245K malicious application packages were logged in 2023 alone. That tripled the stats for 2022 and doubled the number for all previous years combined since 2019. These incidents reportedly cost businesses a staggering $45.8 billion last year, and the economic impact was projected to reach $80 billion globally by 2026.
Common vectors of abuse
The software supply chain, once a linear path from development to deployment, has now become a fusion of interconnected components. Organizations increasingly rely on third-party code, open-source libraries, and external tools. These dependencies introduce potential entry points for cybercriminals.
Attackers often target software repositories or distribution channels to inject malicious code into applications for backdoor access later on. Insecure coding practices, unpatched dependencies, and outdated libraries create vulnerabilities that fuel this exploitation.
Working with multiple vendors across the supply chain increases the attack surface. Each vendor may have varying security practices, which makes it challenging to maintain consistent DevSecOps standards throughout the software lifecycle.
Legacy software components or systems may lack critical security updates and patches. Therefore, companies that use outdated technologies face heightened risks of exploitation.
How to mitigate the risks
With software supply chain attacks escalating across the corporate territory, CISOs should make sure that their application development and delivery practices align with these new challenges. This would likely require reevaluating and hardening the security of every stage down the CI/CD pipeline. Sounds daunting, but old policies and controls might no longer match the current scope of the threat illustrated by the above statistics.
Let’s look at the ways to build resilience within the organization’s software development process.
- Safe coding practices: Incorporate security into the software development lifecycle (SDLC) from inception to deployment. Use static and dynamic code analysis tools, train developers in threat modeling, and perform vulnerability assessments to identify and remediate weaknesses early in the software engineering workflow.
- Dependency management: Maintain an inventory of software dependencies and libraries used within the organization. Regularly update and patch these entities to address known security flaws. Automated dependency scanning tools can streamline this process.
- Vendor management: Prioritize third-party contractors with a strong security track record. Establish strict vendor assessment criteria, including security standards, compliance requirements, and incident response capabilities. Cross-reference the vendor’s historical DNS records with known indicators of compromise (IOCs) related to software supply chain attacks and vulnerabilities. Also, regularly evaluate and audit vendors to ascertain they adhere to established security practices consistently.
- Software bills of materials (SBOMs): Create and maintain a comprehensive SBOM that details all components used within the codebase, including open-source libraries, frameworks, and modules along with their versions and patch statuses. This inventory offers the visibility needed to identify and remediate vulnerabilities in the software supply chain.
- Tamper-proof distribution channels: Applications are particularly susceptible to abuse during transit. Use end-to-end encryption, digital certificates, and secure protocols to protect software packages from interception or unauthorized changes on their way to the target audience.
- Network segmentation: Isolate the development, build, and deployment environments to limit the potential impact of a breach in one area. Firewalls, virtual local area networks (VLANs), and software-defined networking (SDN) tools can facilitate the segmentation and curb lateral movement of threat actors in a compromise scenario.
- Multi-factor authentication: This technique makes it harder for attackers to gain unauthorized access to developer workstations. MFA only works as long as it’s used throughout the software supply chain, including remote employees’ devices and vendor systems.
- Granular access control: Specify permissions and privileges based on user roles and responsibilities. It’s recommended to enforce additional authentication factors for high-risk actions, such as accessing production environments or deploying software updates.
- Threat intelligence: Subscribe to threat intel feeds to address emerging risks proactively. This tactic works in concert with a vulnerability management program that prioritizes remediation efforts based on severity.
- Incident response planning: Develop a roadmap that outlines how to identify, contain, and recover from a software supply chain attack. This plan should include communication protocols for notifying stakeholders and affected users.
Server, desktop, and mobile applications are the glue for any organizational infrastructure today. In addition to these 10 tips, it’s important to promote a culture of security awareness among developers. This will make software supply chain security a collaborative effort where each team member plays an important role.
David Balaban, owner, Privacy-PC