Top Open Source Software Supply Chain Security Tips
As more organizations and applications rely on open-source software, it is crucial to ensure that the software is secure and free from...
9 min read
Justin Bahr : Sep 13, 2022 6:28:38 AM
In this blog post, we'll discuss the four types of software supply chain threats businesses face. Use these 8 best practices in cyber supply chain risk management to help keep your business secure and avoid vulnerabilities.
There are many various supply chain cyber risks software-based businesses face today that can be categorized into four primary types: 1) cyber threats, 2) compliance, 3) financial impact, and 4) reputational. For each of these, we will provide preventative best practices later in the article, but for now, let’s dive into each supply chain threat and examine them more closely.
Most cybersecurity professionals would agree that cyber security supply chain breaches are a question of "when" and not "if" they will occur. Breaches can come from multiple vectors due to a wide variety of vulnerabilities in the software supply chain especially if best practices in supply chain risk management are not followed. Moreover, once threat actors are in, they very often move laterally throughout an organization. We have seen this happen in three highly publicized software supply chain cyber attacks – SolarWinds, Log4J, and Codecov.
SolarWinds attackers inserted malicious code (SUNSPOT) using temporary file replacement techniques to attack software supply chain pipelines and development tools compromising the CI/CD infrastructure.
Log4J, the zero-day software supply chain vulnerability, allowed attackers to leverage remote code execution using logging dependencies, again compromising the CI/CD infrastructure.
Codecov showed that attackers could modify source code to infect, tamper, and reveal customer secrets using modified scripts leveraging compromised artifacts.
For a deeper dive into these three underlying risks, check out The 3 Riskiest Software Supply Chain Attack Patterns Common Across Frameworks. It’s also worth mentioning that there are many more software supply chain attacks than the three listed here. Legit Security is actively contributing to the open-source community, which is core to our mission to help protect software supply chains from attack.
With the implementation of FedRAMP, President Joe Biden’s Executive Order 14028, NIST’s recently revised security guidance, along with many other emerging regulations proves that software supply chain security compliance is another major issue that must be addressed. Software security risks can present themselves in unexpected ways, so teams must remain aware of potential third party vulnerabilities.
Compliance with security protocols and legal regulations like FedRAMP and SOC2 is not just mandatory for your internal organization – it very often also needs to be enforced outside your organization with all the vendors in your software supply chain. In these cases, demonstrating vendor compliance will keep your internal organization from facing fines and penalties.
Supplier non-compliance can lead to violations that you can also be implicated in, and a breach of compliance or violation can lead to penalties or fines for all parties, depending on the context of the violation. Maintaining a complete understanding of your vendors’ security practices is an important component of cybersecurity and supply chain risk management.
Cyber threats to your supply chain do not just present a potential financial loss to your organization but can also deal a financial blow to your customers. Security vulnerabilities don’t just present operational and business disruption risks, they can also have long-lasting financial impacts on your business. This financial risk can vary greatly and range from small operational costs and inefficiencies to financial ruin for businesses.
Financial risks can manifest as real consequences in a couple of ways. Cyber attacks can result in a longer term business continuity crisis that prevents you from servicing your direct customers. Long term business disruptions can also greatly affect your suppliers and contractors, leading them to seek business elsewhere, go bankrupt, or otherwise leave you high and dry. Suppliers and contractors can also encounter their own software supply chain issues which can hamper your ability to continue to operate properly. Because of these potential scenarios, potential cyber threats to your supply chain should be consistently assessed and properly addressed and managed.
Adhering to cyber security best practices to manage supply chain vulnerabilities is an important responsibility that protects you and your customers and allows your business to deliver the most value and avoid potentially catastrophic scenarios. Software supply chain security risk management techniques can be used to minimize the negative financial impacts to your business. Organizations that follow software supply chain best security practices and leverage advice for securing their code and data for business continuity are more adept at mitigating direct and indirect financial impacts.
Reputational threats are the most unpredictable type of risk posed to your business in terms of supply chain cyber security, in part because the concept of brand or reputation is ephemeral and more difficult to control and measure. Additionally, reputations can also become intertwined with other entities, such as when an organization chooses to work with suppliers that are themselves vulnerable to third-party software security risks. In this regard, damage to your suppliers’ reputation can convey the same reputational damage to your organization. Because reputation can be a nebulous component of your business to manage, it is that much more important to be extremely cautious when considering who you work with and how you manage a third party presence in the software supply chain.
SolarWinds and Codecov are useful examples of reputational risk, where a vendor or supplier was compromised resulting in widespread downstream damage and corresponding reputational risk to their customers. Ultimately, your reputation relies on a few factors:
Suppliers’ reputations are critical to evaluate when initially onboarding providers and considering new suppliers. Considering reputation in your evaluation of a new vendor can help you mitigate potential software supply chain threats and bolster your broader cyber security strategy. Keep in mind that vendor/supplier software is not just the proprietary code the vendors create, but also the assortment of open-source tools and libraries they use when developing the software. With the widespread use of open-source tools and libraries, there are various weak spots in the SDLC that the open-source community hasn't addressed yet, which means your suppliers need to enact their own adequate security controls for their usage.
In 2021, NIST (National Institute of Standards and Technology) shared a report on best practices that can help keep you and your business safe by using their framework for cyber supply chain risk management or C-SCRM.
The 8 NIST supply chain best practices are:
Let’s dive into each best practice to manage the four major supply chain threats – Cyber Threats, Compliance, Financial Impact, and Reputational Risk.
The first step in supply chain risk management is to deploy a framework and plan for your organization. Cyber Supply Chain Risk Management or C-SCRM is a multidisciplinary approach to managing cyber threats to your software supply chain. Established in 2021, NIST supply chain best practices provide companies, government agencies, and other organizations with a means to manage growing supply chain risks and protect them from threats.
On large development teams, it is easy for individual efforts to get separated and siloed from the bigger picture, which only increases potential threats to the software supply chain. Deploying organization-wide C-SCRM is the first best practice on our list because it is an essential management framework that helps facilitate and encourages a more collaborative approach to the software or product development process.
A formal C-SCRM program helps establish governance and ensures accountability when identifying, assessing, and mitigating risks to the software supply chain. Creating a robust program should establish governance policies along with processes and procedures. Creating and implementing these practices will increase visibility into software and product development, allowing for more transparency between teams while also strengthening risk management in your software supply chain.
Key elements to be included in a C-SCRM program include who is responsible for enforcing governance, which tools are permissible, the policies or procedures applied to the development lifecycle, and the internal processes for managing potential risk. Transparency and visibility in all phases of the development lifecycle reinforce best practices in software supply chain security and allows teams to mitigate software supply chain threats before they can harm the business. Organizations should approach the deployment of a C-SCRM program with a zero-trust mindset, anticipating and assuming that the code and application development process can not be trusted by default and instead assuming it has already been breached.
Oversight of your supply chain cyber threats through proper, ongoing, monitoring of critical components and suppliers helps secure the entire supply chain. As development teams grow larger and expectations set by the business increase accordingly, threats to the software supply chain increase as well. Continuous monitoring is often critical for mission-imperative functions, since if a breach or breakdown were to occur it would severely disrupt operations.
The identification of assets, systems, processes, suppliers, and data is critical in order to smoothly function 24x7x365. This will help your consistent understanding of third party software security risks as well as any other risk to your software supply chain. Software supply chain critical management assets such as these should be monitored:
Automated SDLC inventory discovery; risk protection and remediation; and continuous scoring and compliance monitoring are all important features that software supply chain security companies like Legit Security have built into their platforms. Using platforms like these can help organizations monitor their critical components and suppliers as recommended by NIST for third-party risk management.
Visibility into your software supply chain is crucial – especially the visibility and analysis of dependencies within your software supply chain. Threat actors leverage dependency vulnerabilities to gain access to the entire pipeline and compromise the integrity of the application or code. Dependencies and suppliers play a critical role in development, so it is important to understand who they are and their security posture to safeguard your own mission-critical components to increase the strength of your software supply chain risk management.
Organizations can manage software supply chain dependency vulnerabilities by:
Should a supplier encounter a breach, the impact on your business could be substantial, but the need for third party expertise in certain areas can be inevitable for large organizations.. Therefore, whenever possible, have backup suppliers available to help minimize disruptions to your operations.
Collaboration with suppliers is key and should be prioritized by organizations focused on software supply chain risk management. Forming a collaborative relationship with key suppliers can facilitate communication and information sharing by creating shared ecosystems.
Any opportunities to increase visibility between your team and third party suppliers should be utilized to manage supply chain risk and protect your business while still getting the benefits of working with your vendors. While collaboration may not always be easy, having shared resources with those key suppliers may be the difference between catching a vulnerability early and before it becomes a problem, or finding out too late where significant damage has already been done.
People, process, and technology are at the heart of effective management and can enhance supply chain performance with proper communication, making it more secure and efficient. These efforts help your team adhere to best practices in supply chain security which strengthens your cyber security risk management. Effective collaboration can not only illuminate issues but highlight visibility gaps that help combat cyber threats to your supply chain.
Organizations face cyber threats not just from their internal suppliers and collaborators. A broad range of external cybercriminals increasingly target businesses through their supply chain as an easier way to find weak points (e.g., SolarWinds, Kaseya, and Codecov). Supply chain vulnerabilities have become better known among cybercriminals as potential targets, and organizations must respond accordingly to reduce and eliminate these risks. To help combat threats, regulations such as FedRAMP and NIST, now specifically include new software supply chain security requirements to address these weak points.
“FedRAMP’s focus in 2022 on supply chain requirements have significantly increased through the publication of the new supply chain risk management (SR) control family in NIST 800-53 revision 5.” (Coalfire)
Businesses of all sizes can have a security incident, which is why resiliency planning is an essential component to maintaining a healthy security posture and reducing your supply chain vulnerabilities. Including critical suppliers in your organization's incident response or disaster recovery plan helps enhance resilience against broader industry ecosystem risks. Additionally, testing resiliency plans with critical suppliers and key stakeholders is essential to become better prepared when a real-life threat arises.
Initial assessments of your suppliers and supply chain are only accurate for a brief period. Over time, these snapshots become obsolete as the software supply chain environment evolves and if you aren’t consistently evaluating your suppliers and supply chain for potential threats and vulnerabilities, your entire organization can potentially be at risk. Organizations should seek automated solutions to continuously identify risks and vulnerabilities in their supply chain as they are continuously changing and evolving.
Monitoring supplier relationships is an essential part of establishing a successful and ongoing supplier program. Organizations can minimize third-party software security risks with just a few monitoring best practices including:
Implementing these best practices will increase efficiencies and reduce risk within your vendor relationships, and will further protect your software supply chain from risk.
While no one can predict when an incident will occur, planning for unexpected interruptions is a must for all businesses in today’s cyber environment. Just a few examples of interruptions that businesses commonly face include ceased support for obsolete software, a change of supplier due to acquisition, and downstream supplier changes affecting your own supply chain production.
Cyber security supply chain threats are pervasive and ever-growing. Adhering to software supply chain security best practices is the best way to protect your team from third party risk as well as potential threats from cyber criminals. Effective supply chain risk management requires taking a proactive approach and establishing preventative action plans to respond to interruptions and prevent severe or critical business failures.
Taking a proactive approach allows every business to mitigate the four main types of cyber threats to software supply chains. Using these NIST supply chain best practices, organizations can help mitigate continued risk in an ever-growing threat landscape. All organizations have some form of supply chain vulnerabilities that need to be recognized early and often so that teams can address them before they cause business critical issues.
|4 Threat Types to Supply Chain Security||8 Best Practices for Software Supply Chain Risk Management|
What we have learned from recent incidents like SolarWinds, Log4J, and Codecov is that software supply chain attacks are pervasive and will continue to grow with increasing complexity, exacerbating the need for more robust and automated solutions that analyzes the entire CI/CD or software supply chain for risks and vulnerabilities.
Legit Security helps secure software supply chains and continuously monitors drift from regulatory frameworks like NIST, FedRAMP, and more. To learn more about how the Legit Security Platform was built to help application security teams keep up with fast-moving development teams at scale, schedule a product demo or learn more about our platform.
Join the Legit Security Newsletter to stay up-to-date on the latest tips, tricks, and tech-industry news.
As more organizations and applications rely on open-source software, it is crucial to ensure that the software is secure and free from...
Code leaks can pose significant threats to the security and well-being of businesses, potentially resulting in a range of negative outcomes including...
What are different solution approaches to software supply chain security and what are the Pros and Cons for your organization? What is the modern...