Today’s software supply chains are the targets of an increasing number of sophisticated cyberattacks. Attackers seek to exploit vulnerabilities in software artifacts, OSS dependencies, code repos, CI and CD tools, and artifact registries. Organizations need to secure each element of their software supply chains.
The software supply chain is the sum total of all the code, people, systems, and processes that contribute to development and delivery of software artifacts, both inside and outside of an organization. Securing the software supply chain requires organizations to address a broad range of security and compliance issues across a diverse and distributed set of elements that include the organization’s software artifacts and its entire DevOps toolchain.
The software supply chain is an expansive, complex, and highly connected system of technology, people, and processes. Each of its different entities– from devops tools to software artifacts– is vulnerable to attack in a myriad of ways, making the whole supply chain challenging to secure. Attackers see opportunities to exploit vulnerable supply chain elements to steal sensitive data, plant malware, and take control of systems.
Gartner Research continues to predict that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a threefold increase from 2021.
Open source software (OSS) dependencies are a desirable target for cyberattackers. Compromise one software building block, and there is potential to wreak havoc on the tens or hundreds of thousands of end consumers of that component. In 2021, Log4j, an open-source logging framework maintained by Apache and used in a myriad of different applications, was the root of exploits that put thousands of systems at risk. Log4j’s communication functionality was vulnerable and thus provided an opening for an attacker to inject malicious code into the logs which could then be executed on the system. After its discovery, security researchers saw millions of attempted exploits, many of which turned into successful denial-of-service (DoS) attacks.
Solarwinds was another devastating software supply chain attack, but instead of exploiting OSS dependency vulnerabilities, attackers exploited vulnerabilities in the DevOps toolchain. They were able to compromise Solarwinds’ build system in order to insert malicious code into a software update without leaving a trace in the codebase. The compromised update ended up being deployed to 18,000 customers.
Securing the software supply chain for modern applications should include the following initiatives:
Learn about how Harness Software Supply Chain Assurance (SSCA) module can help you secure your software supply chain.