Don’t Trust the Security of the Software Supply Chain
Now more than ever, organizations are relying on the supply chain for basic business operations. According to Charlie Jones, director of product management with ReversingLabs, there are two reasons for this: The global trend of digitalization and the rapid move to remote work during the pandemic.
What those trends did was increase the reliance enterprise had on its supplier base, but it modified the way suppliers delivered their services, Jones explained during a session at the Supply Chain Security Summit. Vendors within the software supply chain were well positioned to meet these changes because of the ability to deliver their services over the internet.
But as convenient and efficient as those digital services were during a very difficult time, they also came with security risks. It introduced greater amounts of complexity into their network infrastructure.
“As organizations began to rely more on their software and SaaS providers to operate their business, they began to rapidly expand their attack surface without any real frame of reference of how to manage that ballooning risk,” said Jones.
Adding to the risk is the way users use their connected devices. They want products capable of handling the software that increases productivity and offers them the options they want, i.e., phones that offer suites of collaboration tools. Vendors have had to change the way they build, host and deliver their products to meet customer demand and, again, this has expanded the digital attack surface.
The security risk coming from third-party suppliers is not stagnant, said Jones, but will continue to change as our needs, the types of products and technologies we use continue to evolve. And we’ll also see changes in the types of suppliers we rely on.
Software Supply Chain Comes with Security Risk
And right now, many companies find that the software supply chain is their most vital need, and with the increased reliance on software comes the increased need to think about its security. Jones indicated three reasons why software supply chain security is getting so much attention right now. They are:
• Increased frequency and sophistication of attacks
• Increased government and regulatory attention
• Increased volume of industry standards
The concern is legitimate. According to IBM’s Cost of a Data Breach report, the software supply chain, particularly with vulnerabilities in third-party code, is a top threat vector for attacks. And a PwC survey found that most companies are expecting an attack through their software supply chain.
Add to that the evolving threat landscape, and it is clear that the software supply chain offers multiple opportunities for threat actors.
“The scope of the software supply chain is enormous, with the amount of third and fourth parties involved in the delivery of software,” said Jones. Also, most code in today’s applications is outsourced from third parties or is open source, but it is the organization using that code that is responsible for any vulnerabilities.
“If you, as a business, are not taking the steps to secure your software—including the components within it—it can be considered negligent if a breach occurs,” said Jones.
Zero Trust in the Software Supply Chain
The security of the software supply chain is in the hands of developers. Users are at the mercy of the developer’s approach to security during each phase of the software development life cycle (SDLC). The gaps in security coverage are only creating a bigger attack landscape and making it easier for threat actors to exploit vulnerabilities in the supply chain.
To best approach to the security pitfalls in the software supply chain is to stop trusting that someone else is taking charge of cybersecurity. Threat actors are looking for the weakest link to exploit, and that is likely to come further along in the supply chain. Zero-trust frameworks allow companies to focus on security measures like limiting permissions and access by third parties and limiting the opportunities for potential hackers to move laterally through your system.
Every stakeholder in the software supply chain has to take responsibility for keeping their assets secure. The first step is not to trust that those in other stages of the supply chain have addressed vulnerabilities and flaws that could impact you. Collaboration is key for helping to prevent cyberattacks along the way, but never trust that someone else is taking care of cybersecurity for you.
