Four years on from the SolarWinds hack, supply chains should still be top of mind for businesses. Warnings from the NCSC have reinforced this message, but in the UK just 13% of business decision-makers describe supply chain security as a top priority.
Perhaps they don’t realise how fragile and vulnerable software supply chains can be? A report from ReversingLabs found almost 11,200 unique malicious packages across major free and open-source software (FOSS) platforms in 2023, thirteen times as many as 2020. With FOSS a common part of many commercial software products, organisations need to better understand this threat, and the strategies they can use to mitigate it.
Understanding FOSS in supply chains
According to Synopsis, around 97% of commercial codebases use FOSS to some degree. Why, if it’s so vulnerable? The answer is that the benefits of FOSS can far outweigh the risks: it reduces the cost of ownership, maintenance, upgrades, and support fees, and reduces the problem of vendor lock-in. Many businesses not only use FOSS, they contribute too, part of the give-and-take that makes open-source so useful.
It’s unlikely that organisations will stop using open-source software, given they would need to rewrite many core components of their product. In order to protect against attacks, security professionals need to “know their enemy”. The most common tactics used to compromise FOSS include:
-
Code injection—The threat actor inserts a backdoor into software updates. In most cases, malicious code is injected into a piece of software that is then distributed, allowing the attacker access to multiple organisations.
-
Code substitution—Attackers replace code with malicious code, either by compromising the source code repository or by tampering with the software distribution channel.
-
Code compromise—Exploitation of a vulnerability or a misconfiguration in the software development or delivery process, compromising the code. To illustrate, the NotPetya attack involved hackers exploiting a vulnerability in the M.E.Doc accounting software to deliver ransomware to Ukrainian organisations.
Creating a strategy for protection
Once they fully grasp the risks, security teams will need to do a lot of work to get a handle on the situation. However, it’s not an impossible task and in all likelihood, they’re not going to be starting from scratch—many will already have policies and tools in place that can be improved and built on.
SBOMs: Software Bills of Materials (SBOMs) play an increasingly important role in enhancing supply chain security. SBOMs list the components and dependencies of a software product, such as open-source libraries, third-party software, and licences. It helps to identify and manage security risks in the software supply chain, such as vulnerabilities, malware, or outdated versions. It’s also necessary from a compliance perspective as the UK begins to enforce its cybersecurity strategy.
Create a culture of security: It’s also necessary to establish a security-first culture and educate staff on risks and best practices. At a high level, this means understanding the risk an organisation faces, and a better appreciation for security. From a technical perspective, this includes how to use and deploy code safely, and how organisations can use authoritative sources and repositories to download or update open-source software to ensure security.
Patch, patch, patch: IT teams also need to be strict on their cyber hygiene, mainly in regards to patching. Everyone knows that patching is important but it’s also the bare minimum. To remain secure, organisations should work more proactively and regularly scan software components and dependencies for malicious code.
Limit access: A key component of Zero Trust is to never trust anyone and always verify. Dev teams can take this a step further and apply the “principle of least privilege” to software components and users, limiting their access to the minimum necessary resources and permissions. This can include implementing strong encryption and digital signatures to protect the confidentiality and integrity of software components and data is also imperative.
Stricter rules for vendors and suppliers: As an end user, third-party software audits should be a critical component of a strategy for protection. This includes performing due diligence on third-party vendors and suppliers and verifying their security policies and practices. It’s critical to establish clear contracts and service level agreements (SLAs) with third-party suppliers and define the roles and responsibilities in the supply chain.
It’s important to keep in mind that this is all reactive, a minimum of what should be done to keep organisations safe. Building on this with a more proactive approach will offer even better protection. This means continually monitoring and auditing the software supply chain for any suspicious activity. Only then can security teams be confident that they are doing enough to stay safe from supply chain attacks.
