Risky business

Addressing software supply chain security in the wake of the SolarWinds breach. By Taylor Armerding


If there is a silver lining to the recent SolarWinds/Orion cyber-attack that impacted at least nine federal agencies and 100 private-sector firms in the US, it’s that it could serve as a wake-up call about digital supply chain risks, and the ways to mitigate them.

Experts have warned for years about such risks. Just as with a physical chain, a software supply chain is only as strong as its weakest link. As such, if any entity in an organization’s supply chain – vendor, partner, contractor – isn’t secure, then the organization isn’t secure either.

There are numerous stark examples of that reality. One of the most notorious is the 2014 breach of mega-retailer Target’s point-of-sale systems, enabled because hackers penetrated one of the company’s vendors – an HVAC contractor – through a social engineering attack that delivered malware in an email.

The result? The compromise of 41 million credit card numbers along with 70 million addresses, phone numbers, and other personal information.

And yet, it didn’t change the world of software supply chain all that much. Perhaps most organizations thought that what happened to Target wouldn’t happen to them. But it can and does.

SolarWinds, which provides system management tools for network and infrastructure monitoring, has said only 100 companies were actually compromised by the attack. But its Dec. 14 report to the Securities and Exchange Commission said that as many as 18,000 customers may have installed an update to its IT performance monitoring system called Orion that contained malicious code. More recently, the North American Electric Reliability Corp. (NERC) reported that about a quarter of roughly 1,500 electric utilities sharing data with NERC said they had installed that malicious update.

SolarWinds is no outlier, however. It’s just the most famous recent example of the damage supply chain vulnerabilities can cause. And while that damage can be catastrophic, organizations don’t have to feel helpless. There are mitigations available to manage and reduce supply chain risks.

No, they won’t make you bulletproof, just as seatbelts, airbags, lane assist, and accident-avoidance technology doesn’t guarantee you could never get hurt in a car crash. But those measures do make driving much safer. In much the same way, supply chain security measures can make an organization much more secure.

In most cases, organizations are both supply chain consumers and producers. As in, they receive (consume) materials, products, and services from various third parties, and also produce products and services for other organizations or for the public. But the security emphasis is a bit different for each role.

The leaders of most consumer organizations of any size likely know that their supply chain is lengthy and complex. But they may not grasp just how complex. Indeed, it’s not just the security of an HVAC contractor or other vendor that’s important. It’s also the security of the dozens to hundreds or thousands of components an organization may import while building applications or anything else powered by software.

Cyber security researcher Alex Birsan, in a recent post on Medium titled ‘Dependency Confusion: How I Hacked Into Apple, Microsoft, and Dozens of Other Companies,’ gets deep into the details of the causes of malware-by-update, which is increasingly likely in a world where software is less built from scratch than assembled from third- party and/or open source components. Those components create a trail of dependencies that can exponentially expand your supply chain.

As Birsan put it, “When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine. So, can this blind trust be exploited by malicious actors? Of course, it can.”

One of the first things a consumer organization should do is track what it’s using. Compile a Bill of Materials and get credible assurances from the producers of all those materials that they are also tracking what they are using and keeping it up to date.

As the 2021 Open Source Security & Risk Analysis (OSSRA) report notes, up to 90 percent of the code in any piece of software comes from a combination of open source and third parties. So, organizations should use an automated software composition analysis (SCA) solution, which can help find open source components, identify any known vulnerabilities in those components along with any potential licensing conflicts. A good SCA tool will do that much faster than any team of humans could.

Some potential good news at the federal level is that there may be some support coming to help organizations harden their supply chain security. President Biden’s recent $1.9 trillion infrastructure plan includes $100 billion to improve the security of the nation’s power grid, some of which may be devoted to supply chain security.

But in the interim, it’s up to organizations. Supply chain risks can be the equivalent of poison in your food – an existential threat, and unfortunately, software components are not regulated the way our food supply is. If you want to maintain the health of your products and systems, you have to make sure everything you use from outside your organization is healthy too.

 

Taylor Armerding is a Security Advocate at Synopsys Software Integrity Group.
Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behaviour. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.
www.synopsys.come