As organizations come to rely upon third-party vendors to provide cybersecurity and software updates for their networks, software supply chain attacks are becoming more common. However, there are lessons we can learn from previous attacks, including how to make them less likely to attack your organization and do whatever they want with your most sensitive data.
Let’s explore some of the methods for preventing these attacks from harming you and your customers.
A software supply chain attack is what occurs when hackers infiltrate a software vendor’s network. Typically, they will employ malicious code to compromise the software before the vendor sends out a new patch or update, or some new software can even be compromised as soon as it goes live.
Software supply chain attacks affect anyone using the compromised software, or whose personal information was exposed through the compromise. They can happen in every industry and can even affect critical infrastructure, government agencies, and customers in the private sector.
There are unfortunately many examples of software supply chain attacks in the digital age. However, one of the most notable recent events occurred in 2020 with the now-infamous SolarWinds Orion attack.
In this attack, hackers with ties to the Russian government infiltrated Orion, the flagship software of IT management company SolarWinds. Once inside, they sent out a software update that left tens of thousands of customers vulnerable to having data logs, emails, and other information stolen. Since multibillion-dollar companies and federal agencies used Orion to protect their network, this attack has had implications for national security.
The exact purpose of the attack is still mostly unknown. However, it could mean anything from future ransomware attacks to the distribution of classified information from the Department of Homeland Security. We may never know the true extent of the consequences, aside from its global scale.
Cybersecurity specialists are getting better at what they do all the time. However, cybercriminals and cyberterrorists are also getting better at finding workarounds. Now more than ever, businesses of all sizes need to have robust security measures in place to keep their networks, employees, and information safe.
The strength and sophistication of an organization’s cybersecurity measures are often consistent with their size. Large organizations usually have multiple locations and dozens or hundreds of points of vulnerability, but they also have larger security budgets and the ability to implement more robust measures. However, that isn’t always the case—some large organizations can also have lax security and bad data hygiene.
Cybercriminals and scammers tend to target smaller organizations because they know those businesses and agencies don’t often have the same level of security. However, they also know that these smaller organizations might vend to larger clients, making them especially desirable targets for software supply chain attacks.
Defending against software supply chain attacks requires everyone in your organization to practice good data and code-signing hygiene. At a glance, that typically includes the following across all parts of your organization, as well as your vendors:
Data encryption is one of the cornerstones of software supply chain risk management. Every organization in the supply chain needs it to protect systems from being compromised. This includes:
External suppliers and open-source code are frequently the sources of supply chain attacks. In turn, it’s important to know exactly what your suppliers and vendors are doing to protect both their security and yours. These are some considerations most cybersecurity experts will recommend:
If your suppliers do not have some or all of these measures in place, you may need to either suspend your work with them until they resolve the issue or find another vendor who can resolve the issues.
Preventative measures and maintenance are less expensive, harmful, and embarrassing than cleanup and recovery. Making sure your IT and developer teams, and your entire organization, take these preventative steps can keep your company safe. That includes:
These are the pieces that most IT security professionals hope they never have to use. However, they’re also the most important methods for securing the software supply chain and preventing nightmare scenarios like what happened to SolarWinds. Some of the essential steps to take can include:
Just as you might practice and prepare to evacuate your home during a fire or an earthquake, it’s important to have disaster mitigation plans in place for your organization in the event of cyberterrorism or other digital security threats.
We’ve already mentioned the necessity of using software code analysis tools to identify and resolve vulnerabilities. Making Software Composition Analysis (SCA) and Static Application Security Testing (SAST) regular parts of your security measures can make a huge difference in protecting your organization and clients.
Kiuwan offers tools and add-ons that can help you find risky code before the criminals can. That way, you can use both your vendors’ software and deploy your own with peace of mind. Not only does it offer rapid results, but it also provides insights into different types of security risks your software may have—all with a clear, full-coverage view of your product suite.
Supply chain attacks aren’t going anywhere. Ensuring everyone in the supply chain is delivering and using secure code plays a huge role in thwarting all types of cyberattacks. Having code analysis and governance tools in place can help prevent these software supply chain attacks. To see how Kiuwan can reduce your cyber risks, start a free trial of our application security software today!
