3 Practices for Software Supply Chain Security to Focus on in 2023
Given today’s troubling trends, and how the market has changed – not to mention hacker habits – safeguarding your software supply chain must be the number one priority, when it comes to cyber-security, for most companies. 45% of companies have experienced at least one software supply chain security issue, an attack in the last 12 months. That’s a steep climb from last year’s statistic, 35%. Of these companies, less than half of them had a response strategy. Most suffered million-dollar punches not only fixing and patching the breach but in downtime losses. In this post, we’ll discuss digital supply-chain security and risk management and how it strengthens your cybersecurity strategies.
What are Supply-Chain Attacks?
Software supply chain attacks are a type of cyber-attack that can be executed by a cybercriminal who is in a position to insert malicious code into any part of your official software development process. In other words, they piggyback off your certifications, your licenses, your reputation, to introduce malware into your client’s system.
The attacker may be able to inject malware into the code during the development phase, or they may be able to introduce malware by compromising a third-party supplier. Or, in some cases, they may be able to exploit a vulnerability in your software that you haven’t detected. The goal is usually not to steal data, but rather to disrupt operations, cause economic losses and gain control over the organization’s IT infrastructure. Another, even more, insidious objective, one that is becoming all too common nowadays, is that you and 99.9% of your clients aren’t the targets — the hacker is trying to insert their claws into that 0.01%. This has become a trend over the last few years as attacks of this nature increase by 4X due to malicious foreign government-sponsored policies. For example, in 2020 the IT infrastructure of SolarWinds was compromised by a supply-chain attack. SolarWind is a third-party contractor/vendor for various Federal agencies such as the National Nuclear Security Administration (NNSA). Over 33,000 customers that use the SolarWind Orion software were affected due to an update — but the target was the NNSA. The attack has been tracked to the Balkan region, where all trace of it disappears once investigators reach Russian borders.
A corrupted pipeline or software application code can expose individuals to massive financial losses as well as private exposure of their data. It can also give hackers an inside look at your code blueprints, at proprietary tech, at your infrastructure, at all your processes.
This type of attack, not only enables hackers to inject malicious code or alter your code but tamper and build new processes into your applications — this added, to the fact that, if properly executed, and not detected for a while, also gives attackers a front-row seat at all your workings, allowing them to steal data, tech, and other sensitive material vital to your business.
Best Practices When It Comes to Securing the Software Supply Chain
The following are 3 of the best digital supply chain security practices you can implement. Given the rise of attacks, you must strengthen your defense against this type of risk. If you develop and deploy software, the question is whether or not you’ll be attacked, but WHEN will the attack take place — it’s a foregone conclusion, what matters is how you react when it knocks on your door.
Shifting to a Distroless Model
Containers are a big issue right now. They are the go-to method by which companies deploy software. They are incredibly advantageous because they give companies much-needed control over digital environmental issues, and disruptions in someone else’s ecosystem that might harm the way software is deployed and its operation once installed. The problem is that since you can add as much as you want to a container, they start becoming too complex, too baroque, too chaotic, and with it – with all those images – there’s a greater chance for someone to sneak something in.
Today companies should implement the less is more tactic — trim down their container images, including most distro elements. By stripping out as much as possible – removing libraries, shells, package managers, etc – the chance of an attack decreases.
Scrutinizing Container Images and Registries
You have to scan and understand everything you are deploying —- particularly since today software has become so complex. It’s critical to understand what you are injecting into software or a container. For example, most organizations buy code or images from third-party vendors, images they then employ when creating their containers. How air-tight are your policies regarding where your developers are pulling software or code from? Some companies have strict protocols and vet suppliers, others allow their developers to roam the infested internet byways with zero to no scrutiny of who they are in a “relationship” with.
Exploring and Implementing SLSA
“Salsa” – how it’s pronounced – stands for Supply Chain Level for Software Artifacts — in essence, it is a framework that protects the integrity of software supply chain security. SLSA is based on Google’s platform and it was partly created by that company to improve the state of today’s industry and protect it against threats.
SLSA aligns incredibly well with current dogma and if the Biden Administration has its way — implementing executive orders on improving the nation’s cybersecurity yield – with future Federal policy regarding software.
Will You be Attacked?
Cybercrime is on the rise, and if you deal with software – produce it in any way – then the chances of you being targeted are at least 100%. Right now, you’re in the crosshair of hackers and other malcontents. You WILL be attacked, and you will have a breach. Sony had one. TESLA has had a couple. So has Apple, Chase Bank, Yahoo, Google, etc. Today your top priority should be shoring up your windows and strengthening your tactics — and, having a surefire plan for facing and getting over an attack.