The software supply chain is becoming a popular attack vector for hackers looking to infiltrate a company’s IT network and disrupt business operations.
A recent study by Sonatype revealed that the number of attacks involving the supply chain reached almost 250,000 in 2023, which amounts to double to amount of software supply chain attacks that took place between 2019 and 2022.
Protecting against this rising threat has ever never been harder. According to Gartner, 60% of organisations work with over 1000 third parties and are dependent on third-party software as part of their technology architecture.
And since third-party software is often at the heart of key operations like emailing, CRM systems, and accounting systems, supply chain attacks have become attractive attack vectors for threat actors looking to wreak havoc on business operations.
That’s why software supply chain security has never been more important.
What is software supply chain security?
Software supply chain security is a crucial aspect of cybersecurity that focuses on protecting the entire software development and delivery process from vulnerabilities and external threats.
It's about safeguarding the journey of the application and securing everything that touches an application or plays a role in its development throughout the software development life cycle (SDLC)
The goal of software supply chain security is to build trust in the software development and distribution process, ensuring that end-users receive secure and trustworthy software products.
Security in the software supply chain is crucial to prevent and mitigate the risks of tampering, unauthorized access, and other malicious activities that could compromise the integrity and security of the software.
This is especially crucial as software supply chains become interconnected and rely on various components from different sources.
What is the software supply chain?
The software supply chain includes all the stages involved in creating, testing, packaging, and distributing software – from the initial development to the end-users.
It encompasses everything from the initial conception of an idea to the final deployment and ongoing maintenance of the software product.
Here's a breakdown of the key components of the software supply chain:
1. Code
This is the heart of the supply chain, including:
- Your code – the unique code you write to build the core functionality of your software.
- Third-party libraries and frameworks – pre-written code modules that provide common functionalities you can integrate into your project.
- Open-source components – publicly available code developed by others and often readily available for reuse under licensing agreements.
2. People
The human expertise behind the software, including:
- Developers – who write the code, design the architecture and implement features.
- Testers – who ensure the software functions as intended and detect bugs.
- Security experts – who assess the code for vulnerabilities and recommend mitigation strategies.
- DevOps engineers – who automate build, test, and deployment processes to streamline the software delivery.
- Product managers and executives – who guide the vision and define the goals of the software project.
3. Processes
The methodologies and practices used to create and deliver the software, such as:
- Software development methodologies – agile, waterfall, DevOps, etc., guiding the workflow and collaboration.
- Build and deploy pipelines – automated processes for compiling, testing, and deploying the software.
- Version control systems – tools like for tracking changes to code and ensuring collaboration.
- Security practices – secure coding practices, vulnerability management, and incident response plans.
4. Tools and Technologies
The software and hardware used throughout the process, including:
- Integrated development environments (IDEs) – tools like Visual Studio Code or IntelliJ IDEA for writing and testing code.
- Compilers and interpreters – translate code into machine-readable instructions.
- Continuous integration and continuous delivery (CI/CD) tools – Automate development and deployment processes.
- Cloud infrastructure – tlatforms like AWS or Azure for hosting and managing applications.
- Security scanning tools – Identify vulnerabilities in code and dependencies.
Understanding the interconnectedness of these elements is crucial for ensuring the security, reliability, and efficiency of the software supply chain.
Each component plays a vital role, and any weakness in one area can impact the entire system, leading to downtime, data breaches, or the failure of the application.
Software supply chain security risks
Software supply chain security risks encompass a wide range of potential threats and vulnerabilities that can occur at any stage of the software development and delivery process.
These vulnerabilities give hackers the opportunity to insert malware, a backdoor, or other malicious code to compromise any components and their associated supply chains, leading to software supply chain attacks.
Commonly carried out by profit threat actors and nation-state actors, these attacks are becoming increasingly common and can have dramatic effects in both our digital and physical worlds.
These generally fall into one of four types of risks:
- Vulnerability-based risks. These are flaws in software code or third-party libraries and frameworks that could be exploited leading to a breach. These dependencies can contain vulnerabilities that attackers can exploit to attack the parent application.
- Licensing. This is a legal risk that could obligate you to make any resulting software artefacts open source and nullify patent rights.
- Third-party dependencies. These are dependencies upon any outside organization as part of the software supply chain and are difficult to know. If unauthorized individuals gain access to code repositories, build systems, or deployment environments, they can tamper with the software or inject malicious code.
- Processes and policies. These are only a security risk if you don’t have them. Lack of secure coding practices, inadequate vulnerability management, and insufficient security testing can leave the software vulnerable to attack.
Understanding these risks is crucial for implementing effective security measures and mitigating potential threats.
By focusing on secure coding practices, vulnerability management, access control, and robust development processes, organizations can significantly improve the security of their software supply chains.
Examples of software supply chain attacks
One of the most notable examples of a software supply chain attack was the theft of usernames and passwords for 76 million households and 7 million business accounts from JP Morgan Chase.
The breach was caused by an unmonitored asset, a website built by a third-party vendor in support of a charity, which threat actors took advantage of to infiltrate core systems.
Another major software supply chain attack was the recent attack on the IT firm SolarWinds. The firm's weak security practices by a former intern exposed a critical internal password, allowing suspected Russian hackers were able to access a system that SolarWinds used to assemble updates to Orion, one of its flagship products.
From here, the threat actors inserted malicious code into an otherwise legitimate software update, allowing them to monitor and identify running processes involved in the compilation of Orion, and replace source files to include SUNBURST malware.
Orion updates were deployed to an estimated 18,000 customers, and SUNBURST sent information back to the attackers that were used to identify targets of additional malware, broadened access, and spying.
Given that the intended targets and victims of the attack were several degrees of separation away from the entry point, this is a popular example of a modern software supply chain attack.
Protecting the software supply chain
Protecting against software supply chain attacks involves implementing robust security measures at every stage of the software development and distribution process, including code review, digital signatures, secure build processes, and continuous monitoring.
Organisations need to gain a comprehensive understanding of all participants, from developers and manufacturers to distributors and third-party libraries, and Maintain a detailed inventory of software components and dependencies for vulnerability identification and risk assessment.
They must also regularly scan code for known vulnerabilities and malware in both proprietary and open-source components and integrate security tools into the CI/CD pipeline to automate vulnerability detection and patching.
Regular tests are crucial to identifying and exploiting potential weaknesses in the software supply chain before they happen to prevent hackers from finding an entry point.