By Javed Hasan, Co-Founder and CEO at Lineaje
Software supply chain compromises have been top-of-mind for CISOs and their security teams for the past few years — and rightfully so. The total cost of a software supply chain attack was $4.46 million last year.
In order to meet product development deadlines, most teams utilize third-party resources such as pre-built libraries and open-source components to accelerate the construction process and lower production expenses rather than creating software from scratch. This approach enables engineers to introduce products to the market more quickly, but not without risk.
According to a recent IBM report, one in five breaches occurred from a software supply chain compromise in 2022. On average, it takes 26 more days to detect and control a supply chain attack than any other method.
The sheer number of software supply chain compromises, coupled with increasing federal regulations such as the U.S. Executive Order 14028, should have software producers and consumers putting software supply chain security at the top of their priority list.
In this article, I break down the Who, What, When, Why, and Where of the software supply chain, so cybersecurity professionals can understand the full scope of software supply chain security to help avoid costly mistakes, and uphold brand reputation.
What is software supply chain security and the increasing importance of it?
The software supply chain refers to either the entire process by which software is acquired, developed, and delivered to end users or anything that has a role in its development throughout the software development life cycle. It consists of everything and everyone involved in developing code in the software development lifecycle (SDLC), from sourcing, application development, packaging and delivery through his CI/CD pipeline to delivery.
So, when done properly, software supply chain security is used to protect against a wide range of threats including malicious software, unauthorized access, tampering, and misuse, which can lead to surmounting financial costs and irreversible brand damage as seen with the 3CX, SolarWinds, and Okta incidents.
Why does securing your software supply chain matter?
Adversaries are always going to use the method of least resistance. Most threat actors gain initial access to the software supply chain by compromising up stream components in Open-Source. In doing so, threat actors gain access an organization’s network simply through tampers in the supply chain and exploiting unknown vulnerabilities in the software and then moving laterally throughout the network and to third-party organizations. Throughout the journey, adversaries are stealing sensitive data and disrupting business processes often without the knowledge of security teams. Left undetected, adversaries have the ability to cause significant interruptions to business, leaving even the biggest of household names victim to brand reputation damages.
In addition, many regulations and industry standards, such as the SLSA, FedRAMP rev 5, and NIST 800-53 require organizations to implement secure software supply chain practices to protect sensitive data. In particular, the upcoming U.S. Executive Order 14028 revolves around “enhancing the security of the software supply chain to deliver a secure government experience.”
Securing your software supply chain can protect against cyberattacks, safeguard intellectual property (IP), ensure compliance, and maintain brand reputation, business continuity, and risk management. It allows organizations to be proactive in identifying potential vulnerabilities and mitigating risks, and ultimately provides a higher level of security and peace of mind for the organization and its partners and end users.
Who should care about software supply chain security?
Software supply chain security is a concern for a wide range of stakeholders within an organization, each with its own responsibilities and areas of focus. It is important for all stakeholders to understand the risks and take appropriate actions to protect the organization’s software supply chain.
These include:
CISOs: CISOs are responsible for the overall information security of an organization and have a critical role in protecting the organization’s networks, systems, and data from cyber threats. Software supply chain security is an essential part of this, and CISOs need to ensure that appropriate policies, procedures, and technologies are in place to protect the organization’s software.
Procurement teams: Procurement teams need to ensure that the software they acquire is from reputable vendors and has been independently verified for security. Oftentimes, procurement teams work hand in hand with security to qualify security solutions and ensure software meets company standards.
IT teams: IT teams must maintain regular updates to software, patch any known vulnerabilities, and implement appropriate security controls to protect against cyber threats.
Developers: Developers need to use secure development practices, such as code signing and testing for vulnerabilities, to ensure that the software they develop is safe, speedy, and efficient to end users.
Defenders: Defenders include Security Operations Center (SOC) analysts responsible for detecting and responding to cyber threats and attacks. Software supply chain tampers and attacks require specialized analysis of the software during run-time.
When should organizations think about securing their software supply chain?
With the fallout of several high-scale software supply chain attacks, the federal government has made securing the software supply chain a top priority. The Biden Administration highlighted the importance of securing the software supply chain in its recent White House National Cybersecurity Strategy, and allocated significant budget toward it in the rollout of its FY24 Budget. It’s more than likely that private sector organizations will follow the lead of federal companies, and begin to align with the Biden Administration’s software supply chain security standards, especially with time to comply with Executive Order 14028 growing shorter.
The due date for software suppliers to US government agencies to provide attestations and SBOMs is coming up on June 11th, but the Cybersecurity & Infrastructure Security Agency (CISA) is still taking feedback on the forms, and there is a sense that the deadline might move to July.
Regardless, the time is now for securing the software supply chain. Doing so will enable key company stakeholders to be ahead of any current legislative deadlines and any to come.
Where should security professionals focus on?
A lot of the focus on acting on software supply chain security begins with a software bill of materials (SBOM), which is a list of all the open-source and third-party components present in a codebase. An SBOM typically includes the name, version number, and licensing information for each software component used in the application. This information is important for ensuring software security, compliance, and managing vulnerabilities.
Both software consumers and producers need to make sure they can thoroughly search their SBOMs of all deployed software quickly and efficiently to find newly discovered vulnerabilities. They will need to centrally manage their entire software supply chain, which consists of applications they build or buy, thereby allowing them to govern SBOMs at an enterprise-wide level.
Organizations must look at software supply chain solutions that can automatically provide visibility into a company’s entire software supply chain, create SBOMs for a company’s portfolio of products, assess them, ensure their integrity and continuously improve their security profile. To know what’s in your software, it’s important to find a supply chain manager that can do a full transitive decomposition of any software to discover all deep dependencies including open source, private and third party code.
So What Next?
Now that organizations and individuals are aware of the 5 W’s of the software supply chain and the importance of software supply chain security, where do they go from here? The answer lies in a new approach – a focus on better software. Only software that is built securely, can run securely. Consumers of software are failing to make software secure at deployment – as is evident by continuous breaches and attacks even as the world becomes more digital every day. We are currently in a time when every security professional needs to feel confident and know “What’s in their software?” in order to stay compliant and ahead of today’s top threats.
