Software Supply Chain Security: Importance, Risks, and Best Practices

To understand software supply chain security, let's define the software supply chain first. The software supply chain includes all elements that interact with an application and contribute to its development during the software development life cycle (SDLC.

‍

The software supply chain involves a network of information related to components such as infrastructure, hardware, operating systems, cloud services, and more. This network also includes details about the individuals who developed the components and their origins, such as registries, GitHub repositories, codebases, or other open-source projects.

What is Software Supply Chain Security?

Software supply chain security involves the safety of all components, activities, and practices in creating and launching software. This includes third-party and in-house code, deployment processes and infrastructure, interfaces, and protocols, as well as developer practices and tools.

‍

Companies must conduct these security measures and demonstrate their efforts to consumers.

‍

Supply chain threats are unique and can be more harmful than traditional attacks.  A single breach can affect numerous targets in the supply chain.

‍

Software Supply Chain Security Vs Application Security

‍

The software supply chain involves all aspects and individuals handling your code, while application security safeguards the code from potential attacks and weaknesses. Both should be integrated at all stages of the development process.

‍

Application security starts during software development and persists throughout the application's lifecycle to prevent unauthorized access and safeguard sensitive information. Measures such as strong configurations, reduced attack surfaces, limited permissions, code signing, and dispersing builds across your system are effective strategies to prevent attackers from compromising your applications.

‍

Case Study: The SolarWinds Orion Supply Chain Attack

‍

Solar Winds, a large American IT company, was recently impacted by a supply chain breach. Due to poor information security practices by a former intern, a key internal password (solarwinds123) was exposed.

‍

This allowed suspected Russian hackers to infiltrate SolarWinds' system for updating Orion, one of their main products. The hackers planted harmful code into a legitimate software update, monitored processes related to Orion's development, and substituted source files with SUNBURST malware.

‍

Approximately 18,000 customers received the compromised Orion updates, leading to the transmission of data to the hackers for identifying further targets.

Why Is Software Supply Chain Security Crucial?

A 2022 report shows 742% increase in software supply chain attacks over the last three years. Several notable incidents in recent times are:

‍

Event Stream: The event-stream npm package was compromised due to a project maintainer adding and changing a dependency (flatMap Stream) with harmful code. Users who updated their event-stream package or any related dependencies with a version range for flatMap Stream may have unknowingly installed the malicious version.

‍

Codecov Bash Uploader: Codecov, a tool for measuring code coverage in continuous integration environments, experienced a security breach when unauthorized individuals accessed credentials due to a problem with the company's Docker image creation process.

‍

As a result, the attackers altered Codecov's documentation and tampered with the installation script included in the documentation, affecting various users of Twilio, GoDaddy, and others.

‍

‍

Operation ShadowHammer: In 2019, cybercriminals exploited software updates to spread malicious software named ShadowHammer on ASUS computers, impacting up to one million users.

‍

Huawei: Officials in the United States have cautioned about the potential risks associated with software from Huawei, a Chinese telecom company. They fear that the software could be used by the Chinese government for spying or other harmful activities when used by organizations in their systems.

‍

Software supply chain security helps to avoid vulnerabilities in your applications from the beginning. Strong security measures safeguard software development and deployment against malicious components like malware and security threats.

‍

In September 2022, US President Joe Biden issued Executive Order M-21-30, highlighting NIST guidelines for securing software sold to the US Government. According to the Executive Order, the attestation form should include:

‍

• The software producer's name.
• Software name.
• A statement from the vendor or agency confirming adherence to secure development practices.

Top Risks to the Software Supply Chain

DevSecOps accelerates the creation and rollout of new features in present-day supply chains. Nevertheless, without security protocols in place, malicious code can be introduced into the established foundation.

‍

Moreover, regular software updates can heighten the risk if not managed correctly, as they are necessary for more interaction with customer networks.

‍

Hard-coded Secrets in Repositories

‍

One of the most significant human errors that can cause vulnerabilities is the leaking of secrets, which is very common and has a notable impact. In 2022, 10 million secrets were unintentionally exposed on platforms like GitHub.

‍

These leaked secrets have also been linked to several recent security breaches. Attackers are utilizing automated methods to discover these secrets, which enables them to access credentials and compromise software development processes and delivery systems.

‍

Third-party Dependencies

‍

Modern software supply chains frequently depend on third-party libraries or modules. If these dependencies have weaknesses or harmful code, they can pose a risk to the system.

‍

Compromised CI/ CD Pipelines

‍

Cybercriminals might focus on CI/CD pipelines to insert threats or harmful code into the software supply chain, which can later be rolled out to live environments.

‍

‍

IAM Misconfigurations

‍

IAM policies may result in unauthorized access to important systems and data or could potentially allow attackers to manipulate critical systems.

‍

Internal Development Risks

‍

How software is developed in an organization can pose risks to the software supply chain. These risks may include unsafe coding methods, insufficient testing, weak version control, and ineffective patch management.

‍

Insider Threats

‍

This risk is high when an employee with special access to systems or data accidentally or purposely introduces a vulnerability. These employees could have access to code repositories, deployment tools, or other important systems.

‍

Insider threats may also come from contractors or vendors having sensitive data or systems.

Best Practices to Mitigate Software Supply Chain Attack

‍

Mitigate Dependency Confusion Attacks

‍

Protect your organization from potential vulnerabilities by being aware of how hackers can exploit weaknesses in the software supply chain through dependency confusion attacks. Follow these steps to safeguard your company:

‍

Use a Scoped Namescape: Scoped packages protect a package's namespace by assigning it to a particular user or organization. It helps prevent the dependency confusion attack and ensures that the original package intended by the user is not replaced with a different one from another repository.

‍

Utilize configuration specific to the Repository to clearly define the Upstream Registry: Package managers like pip and npm find package information even without special guidance. They often check public registries like npmjs and PyPI for updated package versions, which can sometimes lead to unintentionally including a harmful package.

‍

To prevent this, make sure that when utilizing an internal package repository or proxy,  avoid proxying requests for private packages to public registries.

‍

What is Dependency Confusion?

Dependency confusion is a prevalent method of attack. In this case, hackers utilize weaknesses in how companies handle software dependencies. They accomplish this by uploading fake versions of open-source packages to popular systems like npm or PyPI, under names that resemble genuine packages.

‍

This practice, typosquatting or brandjacking, can lead developers to download harmful software onto their systems.

‍

Disable Arbitrary Install Commands by Open-Source Packages

‍

Certain package managers have a feature that allows any package to run commands when installed or uninstalled. This default setting has been exploited by malicious packages. An attack can occur through typosquatting, where a victim may unintentionally install a harmful package due to a typo in the command line or within a dependency tree.

‍

The distinction between legit and malicious package names (e.g., coffeescript vs. cofeescript) can be challenging. To prevent falling victim to dependency confusion attacks, it is necessary to:

‍

• Be cautious when installing packages.
• Avoid blind copy and paste.
• Ensure research and verify packages beforehand.

‍

‍

Enable Multi-factor Authentication

‍

A report in January 2020 revealed that less than 10% of npmjs developers had activated this security feature, despite its availability since late 2017. We strongly encourage all individuals operating in software environments to increase the security of their accounts on platforms like npmjs, RubyGems, Docker, and GitHub with multi-factor authentication measures.

‍

‍

Avoid Exposure of Sensitive Information

‍

‍

With the rise of open-source software, developers and contributors are working together openly. While this improves innovation, it can also pose a risk of unintentionally sharing confidential information. Once this information is disclosed, it can be challenging to keep it hidden. Here are some tips on how to do so:

‍

• Don’t store any confidential information in a database, configuration files, or directly within your code.
• Don’t upload packages or container images containing confidential information that could be inadvertently shared on public repositories.

Automated Security Testing Tools

Various automated testing tools can increase software supply chain security for organizations. Here are three widely used application security testing tools: Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST).

‍

Software Composition Analysis (SCA)

‍

SCA solutions help to detect and fix known vulnerabilities in open-source code, which is necessary for the security of technology platforms. With open-source software being widely used in modern software development, making up around 85-90% of most applications, it is important to integrate tools for scanning code continuously.

‍

Many organizations incorporate SCA tools into their CI/CD pipeline to conduct scans automatically whenever a new change is made and a build is initiated.

‍

Static Application Security Testing (SAST)

‍

Like SCA, SAST tools are typically used at the beginning of the software development process to identify problems in the source code rather than the running applications. The key distinction is that SAST examines the custom code specific to your organization, while SCA evaluates open-source elements.

‍

‍

Dynamic Application Security Testing (DAST)

‍

SCA and SAST are tools used for static code testing, whereas DAST identifies security issues in operating applications. DAST tools detect errors such as SQL injections, OS injections, and cross-site scripting (CWE-79), among others.

‍

Unlike SCA and SAST, DAST does not rely on the programming language used because it tests the application while running, regardless of how it is developed. Additionally, DAST evaluates the application by testing it with improper inputs to observe its behavior.

‍

Read more on our Blog: SAST vs DAST: What’s the Difference?

‍

Static and dynamic testing tools work well together, and security teams commonly use both. Popular application security tools like IAST (interactive application security testing) and RASP (run-time application security protection) are also widely used.

Conclusion

ioSENTRIX offers practical and reliable solutions to protect every part of your software delivery process. We give businesses the tools they need to stay secure. Our solutions help identify and fix potential issues before they become problems to ensure smooth operations and compliance with industry standards.

‍

With advanced threat detection and real-time updates, we help businesses safeguard their assets, build customer trust, and stay ahead of threats. Choosing ioSENTRIX means working with a team focused on keeping your supply chain secure.

‍

Don’t take chances with your business security—Contact us to protect your digital operations and future-proof your supply chain.

‍