Software supply chain security involves the protection of an organization’s digital assets against cyber threats originating from an external source. The focus is on reducing vulnerabilities originating from third parties, open-source software, and cloud services. Securing the software supply chain is an essential practice for protecting an organization against cyberattacks.
The broader term “supply chain” refers to the vast array of organizations required to produce and deliver a product or service to the customer. In today’s world, the supply chain commonly refers to the manufacture and movement of physical goods, much of which has been disrupted by the COVID-19 pandemic, the war in Ukraine, and other global crises.
The “software supply chain” is a narrower portion of this broader supply chain, related to the development and deployment of applications or digital services. It is the software supply chain—and the risks companies face along the chain—that we’ll be discussing in detail in this explainer.
The software supply chain comprises numerous components, including:
- Commercial and open-source enterprise software
- Cloud services, including software as a service (SaaS),
platform as a service (PaaS), and infrastructure as a service (IaaS) providers
- Suppliers, vendors, and contractors that provide services
such as IT and data management, software development,
- Any parties in a partnership with the entities mentioned above
Any individual link in the software supply chain represents a potential security risk, and together these links make up a complex threat landscape. The resulting lack of visibility across the supply chain leaves organizations exposed to security vulnerabilities that can lurk anywhere they do business.
Software supply chain attacks involve exploiting a security vulnerability in one or more of an organization’s trusted third-party software partners and providers. Attackers use those hacked solutions to break into the IT infrastructure of a company. Because these third-party entities have been granted access to an organization’s network, applications, and data, hackers can use them to leapfrog to the most sensitive areas of a corporate network and steal high-value assets or take control of critical systems.
Some of the biggest and most costly enterprise data breaches over the past decade have involved software supply chain hacks. During the 2013 Target credit card breach, attackers stole a refrigeration contractor’s login credentials to gain access to Target’s vendor portal and ultimately install malware in its point-of-sale system. The thieves stole 40 million credit card numbers and compromised the personal details of 70 million customers. Target had to pay a settlement of $18.5 million as a result of the breach.
During the 2020 SolarWinds attack, hackers injected malicious
code into the vendor’s Orion infrastructure monitoring and management solution, which allowed attackers to spy on more than 100 companies and government agencies, including Microsoft,
Intel, Nvidia, the Department of Homeland Security, and the
Supply chain attacks are growing exponentially as the IT environment expands to accommodate remote workers in the wake of the pandemic—increasing by at least 300% from 2020 to 2021
and infecting an estimated three out of five companies in 2021, according to two estimates. Verizon reports that more than 60% of system intrusion incidents in 2021 came through a partner or a software update.
Why are software supply chains vulnerable?
Large organizations can use hundreds or even thousands of applications in the daily course of business for things like enterprise resource planning, business intelligence, and customer relationship management. Vulnerabilities in these enterprise applications have become more common with the growing use of publicly accessible open-source frameworks, such as Struts and Spring, as building blocks for software development.
Because organizations have little visibility into and control over these software components, hackers have discovered they can exploit a range of vulnerabilities potentially embedded in open-source code.
And there are many. According to the Contrast Security 2021 State of Open-Source Security Report, the average application contains 118 programming “libraries,” or collections of prewritten code that developers can use to automate tasks. Applications actively use only 38% of these libraries on average. Inactive libraries create a major security risk, as hackers can potentially insert malicious code or malware into a library without detection. The report also found that the average Java application has 50 open-source library vulnerabilities, creating a one-in-six chance of a vulnerability that attackers can exploit.
Finding these vulnerabilities is a huge hurdle for organizations. A single exploitable coding error in Java, for example, may be present in hundreds of applications, because of the popularity of Java as a software development platform. While most vulnerability assessment systems can tell you that a specific software program is out-of-date, they typically don’t provide the level of granularity needed to find the specific file or component that contains the vulnerability—although that could change with President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity, which requires vendors that provide software to the federal government to include a software bill of materials (SBOM) for everything in their products.
To understand the magnitude of the challenge, consider the analogy of a government recall of a food product. A grocery store can provide details of its entire inventory of mac and cheese. The store can even drill down into specific lot numbers within that inventory. But if a government agency wanted to recall every product in the store containing the artificial food color FD&C Yellow #5, the store would likely have no effective way to identify all those products.
This is essentially the problem organizations face in securing their software supply chains. Few have effective tools or methods for achieving the required, microscopic view of every component in every piece of software on every device needed to understand their level of risk.
What is an example of a software supply chain security breach?
In a hypothetical software supply chain attack, a hacker targets an open-source component used in a particular enterprise application development project. The hacker identifies the organization’s developers who are not working on that project and compromises the GitHub accounts used to collaborate on software development, then inserts innocuous-looking code containing a backdoor to the project.
A single exploitable coding error in Java, for example, may be present in hundreds of applications, because of the popularity of Java as a software development platform.
Unknowingly, the backdoor gets packaged into the next release of the software. When the application gets updated, it includes the compromised open-source component, giving the hacker an entry point into the organization’s network.
Appropriate security controls, however, could mitigate such an attack by identifying anomalous behavior—such as a developer accessing a project he was not working on—or even using multifactor authentication to thwart a hacker’s attempt to log in to the developer’s account in the first place.
Why is software supply chain security important?
In modern supply chains, suppliers often have access to the information systems and data of their client organizations. That leaves the organization susceptible to security vulnerabilities that exist somewhere else in the supply chain. One security incident in any link of the chain can have catastrophic consequences throughout an entire network of organizations.
Software supply chain attacks have grown increasingly common. In the last six months of 2021, supply chain attacks jumped 51%. As supplier risk becomes a bigger issue, organizations must place a greater priority on vendor risk management, comprehensive risk assessments, threat detection and response, and similar measures.
What are the major risks to the software supply chain?
Major risks to the supply chain include the following:
- Poor visibility. The complexity of today’s software supply chains makes it exceedingly difficult to get a clear and accurate picture of which suppliers have access privileges to specific systems and assets, as well as all the devices and services accessing a network. Without comprehensive visibility, it’s impossible to know if a supplier poses a security risk.
- Software provider weaknesses. Because thousands of organizations use the same software solutions, supply chain attackers often target software developers and vendors. When hackers compromise individual tools and solutions, they gain access to a higher volume of targets. Hackers may introduce a vulnerability or inject malware into the software to help gain access to sensitive data once the software is installed on an organization’s system. Unpatched third-party systems have long represented a major risk for supply chains. The recent Log4j vulnerability highlighted the importance of strong patch management processes as a result.
- Compromised data. Sensitive data that a supplier retains can be stolen, deleted, or otherwise compromised during an attack. The consequences are the same as if your organization were directly breached: operational downtime, financial loss, reputational damage, legal repercussions, and regulatory penalties.
- Whaling. Like phishing, this type of social engineering attack targets company employees. They receive emails or text messages that appear to be from a trusted source in an attempt to get them to divulge login credentials or other sensitive personal information. A whaling attack may involve researching and identifying a single individual in order to make a “big catch,” such as an executive with high-level access privileges. Phishing, however, typically casts a wider net, targeting hundreds of people.
- Old technology. Organizations have zero visibility into their suppliers’ IT infrastructure, and it’s not uncommon for third-party vendors to run legacy hardware with old, unpatched, or unsupported software. As technology ages, the number of security vulnerabilities grows, making this a particularly troublesome supply chain risk.
- Suppliers’ security vulnerabilities. If a software supplier hasn’t implemented the proper security measures, your organization is vulnerable, no matter how robust the security you have in place. Hackers can exploit a supplier’s security weaknesses to potentially gain access to your systems and data. If suppliers are not vetted and security expectations are not communicated to them, companies can’t ensure a baseline level of security.
What are the elements of software supply chain security?
Once an attacker gets inside your network, they’ll target your organization’s most valuable assets. The first step in securing the supply chain, then, is to understand what you have that hackers value. Start by identifying all your assets and then prioritize your “crown jewels”—the ones you can’t afford to have compromised. Anything deemed business-critical can be considered a high-value asset for most organizations and may include things like proprietary software code, financial and customer data, encryption codes, human resources information, and intellectual property.
Essentially, any software company your business deals with is a potential risk.
As part of this step, you also need to understand the environment where each asset is located and all the ways it can be accessed. This asset discovery and inventory process will help determine how vulnerable assets are to being breached and where you need to limit supply chain exposure.
The second step in securing the supply chain involves identifying your business partners and any weak links in their systems, as well as adopting a strong vendor risk-management process. These partners can include software vendors, cloud service providers, point-of-sale companies, payroll processors, and even security companies, all of which have served as footholds for attackers to break into broader enterprise systems. Essentially, any software company your business deals with is a potential risk.
While there’s no one-size-fits-all approach to this step, a good process should include practices such as conducting vendor risk assessments, classifying vendors according to criticality, creating a vendor inventory, tracking critical vendor attributes, and monitoring vendor performance and risk over time.
The goal of vendor risk management is to ensure your vendors have the appropriate policies and technologies in place to protect your most sensitive data. It can also help you identify high-risk vendors and work with them to mitigate security risks or determine if you want to replace them with another supplier.
What are the top software supply chain security challenges?
Visibility is one of the most challenging elements of supply chain risk, as highlighted earlier. With physical goods, suppliers can provide a list of materials or ingredients that went into manufacturing their products. Most modern software, however, is built largely using open-source components. It’s difficult to find a breakdown of the components that went into a particular application and who built them, and most people don’t have an effective way to find out
Organizations also face challenges in auditing project developers to ensure they’re following secure coding practices and addressing vulnerabilities quickly. They ultimately lack clear understanding
and control over the end-to-end supply chain that undergirds their
What are some best practices in software supply chain security?
Never heard of air-gapping? It is time you learned this and other tips to help improve your software supply chain security:
- Understand your supply chain end-to-end. A software supply chain includes all the code, files, and other components that went into creating your enterprise software, as well as where they came from and who authored them. You want to know things like how products were vetted for security risks and any known vulnerabilities they may contain. Simply put: You need to find out everything you can about the applications your organization is running.
- Air-gap your network. An air gap creates a barrier between a network and attackers, much the way a moat protects a castle from assault. IT employees create the “gap” by physically isolating sensitive assets from network-connected systems or disconnecting specific devices from the network. The goal of air-gapping is to eliminate the possibility that a threat actor can attack your system through an external connection.
- Test regularly. Most enterprises don’t understand how their supply chain is vulnerable until a particular supplier gets attacked. However, you don’t need to wait to find out. Performing vulnerability scans will allow you to identify and fix basic security issues like misconfigurations, poor access policies, and product weaknesses that hackers can exploit. Penetration testing can also help determine how easy your data is to steal by simulating an attack to uncover and exploit any vulnerabilities in your system.
What are some frameworks for software supply chain security?
A security framework is a set of policies and practices for establishing and maintaining cybersecurity controls. Organizations can use frameworks to evaluate their risk level, understand how they could potentially be attacked, and complement their existing cybersecurity programs’ ability to bolster software supply chain security.
The U.S. government developed the NIST Risk Management Framework (RMF), for example, to address how government organizations must architect, secure, and monitor systems to manage security, privacy, and supply chain risks. Managed by the National Institute of Standards and Technology (NIST), the framework offers detailed best practices for assessing risk and improving IT security to mitigate threats such as data breaches and ransomware attacks.
Included in the RMF is a seven-step risk management process to help organizations build better security into their systems and respond to security issues more quickly. The steps are:
- Prepare. In this step, the organization prepares to execute the RMF. Activities include identifying key risk management roles, determining the organization’s level of risk tolerance, conducting an organization-wide assessment of risk, and developing and implementing risk management strategies.
- Categorize. In the second step, the organization uses NIST standards to categorize its information and systems to accurately assess their risk. The organization takes an inventory of all the data that resides in its environment, noting sensitive data that’s accessible to unauthorized users and data that’s low in value. It also documents each system’s characteristics and how they are connected to each other.
- Select. In the next step, the organization selects the relevant security controls for its systems based on a catalog of controls in the RMF. These controls include monitoring solutions, multifactor authentication, and policies that reduce risky behaviors and help recover systems and data in the event of a disaster. During this step, it’s important to consider who does, and who does not, need access to sensitive information.
- Implement. The organization puts its chosen security controls in place. During this step, it should train staff on the new procedures and policies and how they’re to be used within
- Assess. In this step, the organization develops and employs appropriate assessment procedures based on the security controls it has implemented. The goal is to ensure the organization can respond immediately to any security risks..
- Authorize. Senior leadership determines if the selected controls are adequate based on the organization’s tolerance for risk.
- Monitor. In this step, the organization continuously monitors systems to maintain security and respond to any changes
What are the best resources about software supply chain security?
Resources for more information about software supply chain security include:
- Software Security in Supply Chains (NIST)
- Supply Chain Security Guidance (NCSC)
- Supply Chain Security—It’s Everyone’s Business (Mitre)
- ICT Supply Chain Resource Library (CISA)