Why software supply chain attacks persist

COMMENTARY: Managing software supply chain attacks continue to present major challenges to security teams. A recent Gartner report highlights this escalation, projecting a 200% rise in the cost of these attacks to $138 billion by 2031. Even more alarming statistics find that nearly two-thirds of U.S. businesses fell victim to such breaches between May 2022 and April 2023.

These risks are not theoretical. High-profile incidents like the SolarWinds Orion attack in 2020, which compromised 18,000 organizations globally, the Kaseya ransomware attack of 2021 affecting up to 1,500 businesses, and the far-reaching Log4j vulnerability have demonstrated just how exposed our software supply chains are—and the devastating consequences that follow.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

In short, our software supply chains are vulnerable, and the consequences of exploitation are far-reaching. This raises a pressing question: where are we most vulnerable?

Identifying the weaknesses

Several factors contribute to the increasing frequency and severity of software supply chain issues:

Complexity and lack of visibility: The software supply chain has grown more intricate, involving numerous components, tools, and processes from a plethora of sources. This makes it challenging for organizations to maintain full visibility into all the elements that comprise their software, increasing the potential for vulnerabilities to go unnoticed.

Reliance on third-party and open-source components: Modern software development heavily depends on open-source libraries and pre-built components, which speed-up development, but also introduce potential vulnerabilities. These components may come from outside an organization’s direct control, making it difficult to ensure their security. Because these tools are used so widely, they present tempting targets for attackers.

Limited control over external sources: Organizations often have limited influence over the security practices of their suppliers and the origins of third-party code. A lack of oversight creates blind spots in their security posture, as they may unknowingly integrate vulnerable components.

Rapid development cycles: The pressure to deliver software quickly can lead to shortcuts in security practices. This can introduce flaws into the supply chain, as security checks are bypassed or not thoroughly implemented. Once deployed, these same software and applications often are not frequently or comprehensively tested for vulnerabilities introduced during the development process.

Shadow IT: The attack surface constantly changes as organizations grow, adopt new tools, and retire outdated systems. On average, attack surfaces fluctuate by 4.5% each month, but it’s common to have unchecked growth. This phenomenon, known as Shadow IT, occurs when unsanctioned or unnoticed assets—such as tools, services, or platforms—are spun up without proper oversight. These assets, often misconfigured and forgotten, create vulnerable entry points for attackers

But there’s one major culprit that may surprise even the most experienced of security teams:

According to our recent research, a staggering 34% of all severe security issues are found in web server environments, including popular platforms like Apache, NGINX, and Microsoft IIS. This means that one in three critical vulnerabilities lurk in the very foundation of our digital infrastructure.

Even more alarming: the state of basic security measures. Nearly one-third (31%) of surveyed web interfaces fail to implement HTTPS, despite it being a 30-year-old technology. This fundamental lack of encryption leaves sensitive data exposed to potential interception and manipulation.

The situation becomes even more dire when we consider assets handling personally identifiable information (PII). Only half of the web interfaces dealing with PII are protected by a web application firewall (WAF). This leaves a vast swath of sensitive personal data vulnerable to theft and exploitation.

And then there’s the glacial pace of remediation. While cybersecurity best practices recommend addressing critical vulnerabilities within 15 days, there’s a far more sobering reality. On average, it takes 76 days to remediate severe security issues with CISA-issued advisories. This gives attackers ample time to exploit known vulnerabilities and wreak havoc on unsuspecting organizations.

Strengthening web server security

To address the supply chain risks posed by exposed web servers, organizations should adopt a proactive, multi-layered approach to asset management and protection. Here are three recommendations as examples:

Frequent mapping and scanning: Regularly map and scan all assets within the digital supply chain to maintain full visibility of the attack surface. This practice, endorsed by CISA, helps detect emerging risks and supports service-level agreements (SLAs) for issue remediation.

Robust protection for critical assets: For assets handling sensitive information like PII or critical applications, implement strong security measures, but don’t forget about basic protections such as enforcing HTTPS connections and using a web application firewall (WAF). Treat the absence of baseline security protections as a red flag for potential deeper vulnerabilities.

Prioritize beyond CVSS: Go beyond standard CVSS scores when addressing vulnerabilities. Use contextual information about affected assets and threat actor activity to prioritize the most critical threats, ensuring resources are focused on reducing the most significant risks.

It’s also crucial to effectively manage supply chain vendors to maintain a secure software supply chain. Ideally, organizations should maintain a centralized software bill of materials (SBOM) and asset list, but in reality, large companies often face overlapping vendor lists, leading to gaps. Using multiple security vendors can cause inconsistencies in policy enforcement. Diversification of vendors offers oversight, but requires full visibility across all assets to prevent vulnerabilities and maintain a unified security posture.

Additionally, scoping can break down an organization’s attack surface into manageable parts, allowing for better prioritization of risks. Whether focusing on broad assets like internet-exposed systems or more specific targets like cloud-hosted web interfaces handling PII, scoping ensures high-risk areas receive appropriate attention. Tools using AI and machine learning enhance scoping accuracy, helping organizations identify critical risks tied to specific assets and maintain compliance with regulatory requirements.

The vulnerabilities in web servers, coupled with the rapid pace of innovation, make securing the software supply chain increasingly complex. Organizations must take a proactive stance to meet these challenges, employing continuous monitoring, robust protection, and smart prioritization. By maintaining visibility across their assets, they can better defend against growing threats and safeguard their digital infrastructure.

Emma Zaballos, senior researcher, CyCognito

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Why software supply chain attacks persist

Identifying the weaknesses

Strengthening web server security

Related

The compliance clock is ticking: How IoT manufacturers can prepare for the Cyber Resilience Act

Advanced slapped with almost $4M fine after LockBit hack

Multiple npm packages laced with infostealers

Related Events

The CISO Perspective: Supply Chain Resilience

Get daily email updates