Software Supply Chain Security: Understanding and Mitigating Major Risks
Software supply chain security is becoming increasingly critical as more organizations rely on complex software ecosystems that can expose them to vulnerabilities. These vulnerabilities can lead to significant breaches, affecting not only individual companies but their customers and partners as well. In this blog, we’ll explore four key categories of software supply chain risk and provide proactive prevention strategies. Let’s dive in!
Understanding Software Supply Chain Security Risks
When we discuss the software supply chain, this includes applications hosted internally, software-as-a-service (SaaS), hosted services, open-source libraries, and more. Each component can potentially introduce security weaknesses, particularly with the rise of AI tools that can now quickly identify and exploit vulnerabilities. To protect against software supply chain security threats, it’s essential to understand the main types of risks involved:
- Catastrophic flaws
- Product vulnerabilities
- Backdoors and malware
- Vendor security control gaps
Let’s look at each category and how you can proactively reduce your organization’s risks.
Catastrophic Flaws: When Updates Go Wrong
Catastrophic flaws occur when unintended software issues arise during an update or release, potentially causing widespread damage. A recent example is the CrowdStrike incident that took place this summer. On July 19th, a flawed software update caused Windows kernel crashes, resulting in the “blue screen of death” on over 8.5 million computers worldwide.
Catastrophic flaws like this demonstrate the critical importance of software supply chain security. Let’s look at how your organization can prepare for potential catastrophic events.
Risk Reduction Strategies:
- Rigorous Testing Before Updates: Quickly conduct comprehensive testing across multiple environments to catch as many issues as possible before releasing an update into critical production environments.
- Emergency Response Planning: Have a rollback mechanism and a crisis communication plan to mitigate damage and restore systems quickly if an update fails.
- Backup Systems and Rollback Mechanisms: Keep automated backups and rollback capabilities ready to minimize downtime during an unexpected system failure.
Product Vulnerabilities: Exploiting Plugins and Third-Party Components
Product vulnerabilities often arise from widely used software components, such as third-party plugins or libraries. A notable example is the GiveWP WordPress plugin, which had a critical flaw allowing unauthorized users to create files on web servers and gain complete control. We found an exploit for this vulnerability on the dark web, freely available to attackers, which shows how easily product vulnerabilities can be weaponized. For more details and screenshots of how this happened, watch our software supply chain video at minute mark 4:50.
Another critical vulnerability surfaced in JetBrains TeamCity, a popular tool for managing and sharing source code. Attackers exploited an unpatched flaw to gain access to development environments, where they could steal sensitive source code or implant malicious elements. Over 1,700 servers were found vulnerable, demonstrating the risk posed by such product vulnerabilities. These attacks are becoming increasingly common, and the impacts can be extensive (Remember Log4j?).
Risk Reduction Strategies:
- Monitor Third-Party Components: Maintain an asset inventory of third-party components and ensure regular updates to the latest versions.
- Apply Security Patches Promptly: Use vulnerability scanning tools regularly, but keep in mind that they often lag behind newly discovered vulnerabilities.
- Implement Least Privilege: Limit permissions for plugins and third-party components to reduce the potential damage if they are compromised.
Backdoors and Malware: Breaching the Trust
Backdoors and malware are used by attackers to implant malicious code into trusted software products, compromising customers who install updates. One infamous example is the SolarWinds Orion attack, where hackers planted a backdoor in the SolarWinds Orion software, allowing them access to sensitive systems for over a year before detection. Thousands of customers, including major corporations and government entities, were affected, making this one of the most impactful software supply chain security breaches in recent history.
More recently, there was an attempt to introduce a backdoor into the XZ Utilities package, a critical compression utility used by most Linux distributions. The attackers built credibility for years, then tried to insert malicious code into the utility’s update. Fortunately, an observant developer noticed the unusual behavior, preventing the attack from becoming successful. Watch minute 33:36 of our software supply chain video for details and screenshots.
Risk Reduction Strategies:
- Software Bill of Materials (SBOM): Request SBOMs from vendors to understand all components in the software you use which list all software libraries used in the solution. This helps you identify exposure when a backdoor vulnerability is discovered.
- Threat Intelligence Monitoring: Implement tools that flag suspicious updates before deployment and monitor threat intelligence feeds for vulnerabilities.
- Regular Source Code Audits: Conduct frequent audits of open-source and internally developed software to detect unauthorized changes. Use code signing to verify the integrity of software updates.
Vendor Security Control Gaps: Risks of Third-Party Access
Vendor security control gaps occur when vendors fail to implement robust security practices, leading to potential compromises. The Sisense breach is an example where attackers accessed Sisense’s GitLab portal and stole credentials, including access keys for Amazon S3 storage (Watch minute mark 43:55 of our software supply chain video for details and screenshots). Weak monitoring mechanisms allowed attackers to access and exfiltrate sensitive customer information, as well as administrative control tokens.
Similarly, the Okta breach (Watch minute mark 47:40 of our software supply chain video for details and screenshots) involved attackers gaining access to sensitive files containing session tokens. These tokens allowed attackers to bypass authentication and impersonate legitimate software services, affecting many companies. For example, Cloudflare was compromised, resulting in the theft of its source code, creating further vulnerabilities.
Risk Reduction Strategies:
- Vendor Vetting Policies: Implement vendor vetting controls and use a third-party risk management solution. Read our third-party risk management blog for advice and best practices.
- Third-Party Penetration Testing: Ensure vendors undergo regular penetration testing and provide documentation as part of your vendor selection process.
- Limit Data Sharing: Restrict data sharing with vendors and establish policies for data deletion after it is no longer required. Limit access rights to sensitive data for vendors.
- Secure Integration Points: Use secure API gateways and strong encryption for data shared between your systems and third-party services.
Evil AI Will Increase Software Supply Chain Attacks
Artificial intelligence tools like WormGPT are being used to quickly identify and exploit vulnerabilities. For example, after feeding stolen source code into WormGPT, we discovered multiple vulnerabilities in seconds, complete with exploit instructions. As attackers leverage AI, defenders must also use AI-driven tools to strengthen software supply chain security. AI can assist in proactive code analysis, helping identify potential vulnerabilities before the software reaches production, and more.
A Comprehensive Approach to Software Supply Chain Security
Securing the software supply chain requires a multifaceted approach:
- Understand Your Software Components: Require SBOMs to catalog dependencies and assess potential vulnerabilities in your software. This helps in identifying weak spots that can be exploited.
- Establish Vendor Risk Management Policies: Implement third-party risk management measures, including security testing, contractual agreements for emergency patching, and regular security attestations from vendors.
- Monitor and Respond: Monitor threat intelligence feeds for emerging vulnerabilities and apply patches immediately. Implement 24/7 monitoring to detect threats in real-time and ensure a swift response.
- Conduct Regular Penetration Testing: Include third-party software in your penetration testing to identify any weaknesses before they can be exploited.
- Enhance Incident Response Planning: Your incident response plan must consider both your software supply chain and those of your critical vendors. Ensure a rapid rollback mechanism is in place, like companies who were able to recover quickly from the CrowdStrike incident.
Software supply chain security must be prioritized to protect against evolving cyber threats. By understanding and mitigating four major types of risks—catastrophic flaws, product vulnerabilities, backdoors/malware, and vendor security control gaps—you can strengthen your organization’s resilience against potential attacks.
Please contact us if you need help with penetration testing, policy development consulting, cybersecurity solutions, or training. Our expert team is ready to help!