Don’t be the weak link in your customers’ supply chain security
To solve the supply chain security dilemma, producers must get back to security basics. Get best practices for securing your supply chain.
Nobody wants to be known as the weak link in the chain—any chain. But too many organizations are at risk of being just that in the digital supply chain because they haven’t made the cyber security of their products a priority.
SolarWinds, which provides system management tools for network and infrastructure monitoring, has an IT performance monitoring system called Orion. Hackers were able to inject malware into an Orion update, and it spread to tens of thousands of SolarWinds customers when they did what experts tell them to do—keep your software up to date.
The domino effect in supply chain security
It even affected FireEye, a company that helps organizations defend against and respond to breaches. The company announced in a Dec. 13, 2020 blog post that it had discovered the “global intrusion campaign,” allegedly by Russia, that had been going on at least since March 2020. The company also acknowledged it had been a victim itself. Indeed, if FireEye had not gone public, those other thousands of victims might still be unaware that they had been compromised.
This isn’t a new problem—security experts have been warning for years that supply chain vulnerabilities can exponentially increase the damage hackers can cause. But even with ongoing headlines confirming the validity of those warnings, there hasn’t been much substantive improvement in supply chain security over the past decade.
Senate Intelligence Committee Chairman Mark Warner (D-VA) acknowledged as much at a hearing on the SolarWinds hack in February 2021. The attack “highlighted a number of lingering issues that we’ve ignored for too long,” he said.
The good news is that improvement is possible, even without Congress getting involved. The ways to harden supply chain security are well-established. They also work, if organizations implement them.
So how to avoid being that weak link? Read on.
In today’s interconnected world, most organizations are both supply chain consumers and producers. As in, they consume materials, products, and services from various third parties like SolarWinds, and they also produce products and services for other organizations or for the public.
But the security emphasis is a bit different for each role. An earlier post on this blog site focused on security recommendations for consumers in the supply chain. This one will focus on producers.
Supply chain security best practices for producers
The best way to start is with the fundamentals. For producers, the fundamental priority is to build security into the software that powers your products through every stage of the software development life cycle (SDLC).
Those security testing measures include:
- At the start, architecture risk analysis and threat modeling can help eliminate design flaws before a team starts to build an application or any other software product.
- While software is being written and built static, dynamic, and interactive application security testing can find bugs or other defects when code is at rest, running and interacting with external input.
- Software composition analysis can help developers find and fix known vulnerabilities and potential licensing conflicts in open source software components.
- Fuzz testing can reveal how the software responds when it’s hit with malformed input.
- Penetration testing, or “red teaming,” can mimic hackers to find weaknesses that remain before software products are deployed.
Michael Fabian, principal consultant at the Synopsys Software Integrity Group, said producers should also “investigate individual codebases to ensure that no unintended functionality has been included in current builds or deployments.”
That makes sense for a couple of reasons. First, it’s impossible to secure or protect something if you don’t know you have it or what it’s made of. Also, if you’re a producer, your customers are or should be demanding this level of scrutiny from you. If you can demonstrate that you’ve already done it, you’ve probably created a long-term customer.
Then, as Fabian put it, a “risk management and framing exercise should occur in accordance with standard frameworks, outlined by international standards bodies and industry leaders.”
Those activities can include:
- Discover potentially high-risk systems with attractive functional profiles.
- Conduct vulnerability and risk management evaluations on development pipelines.
- Develop technical and organizational controls to address risk.
- Conduct an evaluation of the SDLC consistent with reducing vulnerable or compromised code.
- Conduct risk management activities on system delivery and deployment frameworks.
- Develop additional controls in response to discovered risks.
- Manage vendor risk for integrated third-party components.
Among other resources that help organizations improve their risk management is the Building Security In Maturity Model (BSIMM), an annual report that helps organizations grow and improve their software security initiatives by documenting what organizations in their industry are doing, and what works.
The authors of that report also provide the BSIMMsc (formerly called vBSIMM), focused on software supplied by third parties.
Other frameworks for supply chain security practices include NIST SP 800-161, ISO 20243, SAFECode third party risk practices, and the East-West Institute IT buyer’s guide.
Secure your supply chain
As should be obvious, measures like these require staff and technology, which means time and money. But that investment can help an organization avoid damages that go well beyond headaches: Brand tarnish, legal liability, loss of market share, compliance sanctions, and more.
Beyond that, any business that wants to prosper knows it has to deliver products and services that function as intended and are safe. And in an almost universally connected world, to be safe they have to be secure as well.
Watch the webinar to learn how Black Duck Binary Analysis can help.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Taylor Armerding. Read the original post at: https://www.synopsys.com/blogs/software-security/supply-chain-security-best-practices/
