What Is Software Supply Chain Security?

What Is Software Supply Chain Security?

The software supply chain is the sum total of all the code, people, systems, and processes that contribute to development and delivery of software artifacts, both inside and outside of an organization. Securing the software supply chain requires organizations to address a broad range of security and compliance issues across a diverse and distributed set of elements that include the organization’s software artifacts and its entire DevOps toolchain.

Why Are Software Supply Chain Attacks Rising?

The software supply chain is an expansive, complex, and highly connected system of technology, people, and processes. Each of its different entities– from devops tools to software artifacts– is vulnerable to attack in a myriad of ways, making the whole supply chain challenging to secure. Attackers see opportunities to exploit vulnerable supply chain elements to steal sensitive data, plant malware, and take control of systems. 

‍

Gartner Research continues to predict that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a threefold increase from 2021.

Examples Of Software Supply Chain Attacks

Open source software (OSS) dependencies are a desirable target for cyberattackers. Compromise one software building block, and there is potential to wreak havoc on the tens or hundreds of thousands of end consumers of that component. In 2021, Log4j, an open-source logging framework maintained by Apache and used in a myriad of different applications, was the root of exploits that put thousands of systems at risk. Log4j’s communication functionality was vulnerable and thus provided an opening for an attacker to inject malicious code into the logs which could then be executed on the system. After its discovery, security researchers saw millions of attempted exploits, many of which turned into successful denial-of-service (DoS) attacks.

Solarwinds was another devastating software supply chain attack, but instead of exploiting OSS dependency vulnerabilities, attackers exploited vulnerabilities in the DevOps toolchain. They were able to compromise Solarwinds’ build system in order to insert malicious code into a software update without leaving a trace in the codebase. The compromised update ended up being deployed to 18,000 customers.

How Can You Reduce Supply Chain Security Risks?

Securing the software supply chain for modern applications should include the following initiatives:

‍

• Secure code repositories, CI/CD tools, and artifact registries. Assess security posture against industry-standard risk frameworks such as CIS Supply Chain Security Benchmark, OWASP Top-10 CI/CD Security Risks, NIST-800, SLSA, etc.

‍

• Govern the use of open source software (OSS) dependencies throughout the software development lifecycle. This requires visibility into all dependencies and enforcement of policies based on criteria such as supplier, version, PURL (package URL), and license. 

‍

• Produce comprehensive, detailed Software Bill of Materials (SBOMs) for every software artifact. SBOMs are instrumental for rapidly remediating zero-day vulnerabilities and other dependency issues as they can be used in tracing vulnerable or problematic dependencies back to impacted software artifacts.

‍

• Govern artifact promotions with SLSA attestations & artifact chain of custody. The SLSA framework is essential for measuring trust in software artifacts, based on a record of the artifact’s properties and its build. Verify that a software artifact meets your trustworthiness criteria before promoting it to the next development phase.

‍

Learn about how Harness Software Supply Chain Assurance (SSCA) module can help you secure your software supply chain.