The software supply chain is quickly becoming a widespread attack vector and securing it is now in the spotlight. Attacks in the software supply chain will become a given by 2022, Darktrace reports.
SolarWinds, Kaseya, and GitLab are just a few examples of organizations that have been vulnerable to attacks in recent years. We have also witnessed an increasing number of exploits, such as Log4j and Log4Shell, which have the potential to affect billions of devices. What these instances have in common is that they exploit vulnerabilities in open source software and third-party dependencies that are often used in the software delivery process.
I recently spoke with Doug Dooley, COO, Data Theorem, about the impact of today’s complex software supply chains. “The software supply chain problem is huge, but it will only get worse over the next five years,” he said. According to Dooley, application security requires continuous context of how the app functions at runtime in a software ecosystem — otherwise it will continue to miss gaping holes in the big picture.
Understanding software supply chain disruption
Most people understand what a traditional product supply chain is: it includes all the components needed to bring a product to the end consumer, from raw materials to manufacturing, distribution and retail locations. But amid the pandemic and recent international conflict, we have seen how fragile this chain is. If you turn off any of these components, all consumers will feel the effect, resulting in everything from gas elevations to baby food shortages. In 2021, as many as 61% of organizations were affected by supply chain attacks.
In software, the supply chain can be seen in the same way: there are many components involved between a software product and the end user. The developer writes code, integrates third-party libraries and frameworks, places it in source code systems, pushes it to test environments, and finally deploys it to production. And often DevOps has insight into this whole picture.
“DevOps has become one of the most powerful people in the industry,” says Dooley. “They can take an entrepreneur’s idea and turn it into reality in the form of an application.”
Third party exposures can cause massive disruptions to this workflow above. This can take the form of insecure libraries, underlying cloud vulnerabilities, or API vulnerabilities, Dooley says. “Customers will embed APIs in the software stack – it’s a black box for them.” There is also a chance of misconfigured S3 buckets, which are constantly leaking millions of records. More serious threats to application security include remote code execution, which can lead to a detrimental loss of control.
So, why the sudden spike in software supply chain security incidents? After all, open source software, APIs, and third-party vendors have been around for decades. Well, according to Dooley, several factors come into play here.
For years, the Silicon Valley mantra has been to “act fast and break things.” Take, for example, Netflix Engineering, which is constantly developing services and releasing dozens of changes per day. According to Dooley, such rapid application development often means that security is a next development rather than preceding it or being integrated into the process, à la DevSecOps. This could lead to what he calls an “ambulance chaser moment.”
The attack surface grows as the number of third-party vendors and dependencies increases. The average company has 254 SaaS apps, data from Productiv shows. Also on the side of the attackers we see an increasing degree of automation and sophistication. “You only have to be right once when you attack,” said Dooley. “The deck is stacked in an attacker’s favor.”
Strengthen the chain
The software supply chain problem is a complex problem that cannot be solved with a single action. However, Dooley offered several tips for businesses to consider when faced with this broad issue:
- Source code analysis and supplier management† It is important to research partners and have a process in place to audit new software by scanning for common vulnerabilities and exposures (CVEs). Still, source code analysis falls short in many areas, Dooley admitted, because you’re unlikely to see the source code behind cloud API calls, and production behavior doesn’t always match the documentation.
- Continuous runtime security monitoring† New exploits are constantly being found. So organizations need a continuous defensive attitude at runtime, even if they have been found safe during development. Continuous full-stack discovery needs to consider many third-party components, such as SDKs, open source code, mobile apps, web services, cloud services, APIs, and identity and access management, explains Dooley.
- Increased transparency with SBOMs† More widespread use of software bills of materials (SBOMs) will be critical to increasing transparency in the industry. Just as nutritional facts describe the foods we eat, SBOMs describe the internal makeup of software components. “We’re trying to get to a point where we’re getting more transparency in the software we depend on,” Dooley said.
- Rapid detection of vulnerabilities. Have a good grip on the attack surface. Companies will want to make an accurate inventory of what can be attacked.
- Build protection around the ‘Crown Jewels’. Sometimes you need to prioritize which steps to take first. Dooley reiterated that securing applications that communicate with customer data is critical, as these are the “crown jewels” — leaks here could have serious legal sanctions and brand reputation implications.
Note: Heavy lifting required
“The moment you ship a piece of software, you’ve taken a risk,” Dooley says. But at the same time, you miss huge opportunities if you don’t make digital interfaces.
Code reuse and open source packages have become necessary to maintain the flexibility to continuously release digital products. “Even if you build everything from scratch, you’re still reusing a lot,” says Dooley. “Without it, you would never enter the market.” While these tools enable unprecedented speed, we cannot overlook the potential vulnerabilities in the software supply chain.
With its unique take on the software deployment and automation process, the DevOps sphere will undoubtedly play a role in protecting this paradigm. “Let’s push for more transparency and disclosure,” Dooley said. “But don’t hang your hat on that and make your program great — if you really care about this problem, you’re going to have to do some heavy lifting in the real world.”