For many business executives, familiarity with “software supply chain security” started around December 2020 when global news headlines covered the Solarwinds attack.
We learned that the software build system itself could be compromised and that production software to end customers could contain dangerous embedded vulnerabilities from supply chain hacks. Out of necessity, business executives and many others were forced to ask important questions about the business risks, vulnerabilities, and exposed surface area of their own software supply chains.
History tends to repeat itself and prior historical patterns can offer clues about what might happen next. Let’s explore developments leading up to the security hardening of the United States physical supply chain post 9/11, and see what lessons it might teach us for software supply chain security today.
Say Goodbye to Supply Chains of the Past
Prior to the 1970’s, security generally wasn’t a national security concern for most of America’s physical supply chains. Why? These supply chains leveraged internal domestic resources, some were vertically integrated, and most enjoyed the implicit security of operating within the borders of the U.S.
However, international outsourcing started to take off in the 1970s and many types of factory work began to shift overseas. This further accelerated in the 1990s when the United States negotiated free-trade agreements like NAFTA (North American Free Trade Agreement) which helped reduce tariffs and supply chain friction.
By the turn of the century, supply chains grew in complexity and frequently crossed international borders, but cost savings and agility benefits made it all worthwhile. We had to trust our new suppliers, but we had much less control, visibility and governance over their operations. More improvements followed, like just-in-time delivery, which offered additional benefits but increased our dependencies on distributed supply chains even more.
Early warnings of security gaps occasionally made the news. An example was the escalating “war on drugs”, and news of supply chain exploits by innovative traffickers along the U.S Southern border. Even non-experts had a hunch that traditional security approaches were heavily outmatched for what seemed to be an impossibly large and growing attack surface.
Then Everything Changed…
Then a catastrophic event occurred. In 2001, 9/11 triggered a renewed focus not just on air travel security but massively exposed vulnerabilities across America’s supply chains leading into the country. It didn’t take much imagination to realize that attacks exploiting these supply chains could infiltrate and cripple the economy. Ignoring these risks were no longer an option.
Industry and government were mobilized into action. But how do you secure a diverse, sprawling and rapidly changing supply chain environment that the U.S. economy was now dependent upon? It became clear that new solutions were needed.
Racing Against Time to Close Security Gaps
Everyone recognized that security couldn’t unduly impede the wheels of commerce, so the focus shifted to new, non-invasive security tools deployed broadly across the environment.
A new generation of security “scanners” were implemented. After all, you can’t secure what you can’t see. We’re familiar with the airport security scanners we walk through as passengers, but many more specialized scanners were deployed to cover broader aspects of the supply chain environment. These included shipping port cargo scanners, radiation detectors, highway truck/container scanners, plate readers, and more.
New security certification models were also implemented for establishing trust across diverse suppliers and supply chains. Suppliers were often dedicated to ensuring that their individual components of the ecosystem were safe and secure, but attackers of those ecosystems see a group of highly interconnected systems and seek to attack the weakest points. If you can establish a chain of trust back to each supplier and their delivery pipeline, you can have a reasonable assurance of end-to-end security. A slew of bills over the next decade focused on just that. Policy efforts towards security standards and regulations took more time to implement but had the promise of better protection and more efficient allocation of security resources.
Déjà Vu: History Repeating for Software Supply Chains
You can perhaps see similarities above that relate to the evolution of software supply chain security today.
For example, not long ago software was developed with a waterfall methodology leveraging inhouse developers working within the four-walls of their employer. The software supply chain was vertically integrated, directly managed, and thus the risks were far easier to manage.
Then software leaders began to outsource portions of their teams, just as it had occurred with other industries. But the software industry would go a step further and adopt Open Source software. Now you could outsource key functionality of your finished software with embedded Open Source libraries. Need logging for your Java app? No one builds this functionality themselves anymore – development teams use popular tools, like Apache’s Log4J. In fact, much of software development today is assembling code rather than creating from scratch. Some studies show that up to 80% of enterprise software is assembled from outside sources.
A pure waterfall approach is also increasingly rare. Instead, the software industry has embraced DevOps and CI/CD (Continuous Integration/Continuous Development) to better automate their software factory. These just-in-time deployment methods allow developers to keep pace with the business, and have spawned diverse tooling along the software development lifecycle, including new solutions for Infrastructure-as-Code, cloud deployment and new forms of automation.
These changes evolved relatively quickly, and security professionals did their best to keep up with the tools available. Some organizations have invested to “shift security left” into the development process, including new roles and responsibilities for “DevSecOps”. But many businesses simply couldn’t slow down product delivery for comprehensive security checks, particularly if they were deemed too intrusive, slow, or resource intensive, and so they made due with their best efforts.
Then, the software industry had it’s own wake-up call with the Solarwinds attack.
Afterwards, many realized that we had underappreciated the critical risks and vulnerabilities along our highly distributed, rapidly changing, and loosely governed software supply chain. And again, a recognition dawned that new tools and approaches were needed.
Every Digital Business Has a Software Supply Chain
Post 9/11, specific industries such as airlines, shipping, transportation & logistics companies were directly affected by industry and government efforts to secure physical supply chains. These industries were “physical gatekeepers” and were required to implement new security tools and processes. But many more companies and industries did not.
Today, software touches nearly all businesses in some capacity. Satya Nadella, CEO of Microsoft, is often quoted saying that, “every company is now a software company”. That means the available attack surface area is again impossibly large and growing. And unlike the past, responsibility for software supply chain security includes nearly all industries and businesses both large and small that rely upon software and digital business models to engage their customers and marketplaces.
The impact radius of a successful software supply chain attack can also be extremely wide. Strategically compromising a component in a digital supply chain helps bad actors potentially wreak havoc downstream into a large ecosystem. The Solarwinds attack made headlines both because of it’s eye-opening attack method, but also due to it’s sheer number high-profile customers suffering downstream vulnerabilities for follow up attacks.
More High-Profile Attacks Ahead
Since Solarwinds, attack frequency has increased. More supply chain attacks have been documented and more attacks have received newsworthy coverage (e.g. Codecov, Kaseya). Analyst firms like Gartner, governmental organizations like ENISA, and vendors like Sonatype all predict significant increases – which, if true, will mean plenty more headlines.
When mainstream media reports on these incidents, it has the positive effect of informing business leaders of the risks, but also has the negative effect of informing bad actors of their potential. Add it all up, and the incentives for cyber criminals to exploit software supply chain vulnerabilities grows exponentially. The attack surface is large, the range of available targets is vast, and the number of wide-ranging attacks and vulnerabilities keeps increasing.
Cyber criminals seek the path of least resistance to achieve their objectives. If the trend continues, the software supply chain attack category could become the new preferred orchard of low-hanging fruit to compromise relative to other attack vectors.
Predicting The Future: Software Supply Chain Security
What does the future hold for software supply chain security, other than the likelihood of more frequent, high profile attacks? Historical patterns point us in at least two directions:
(1) New Security Tools to Scan and Analyze the Broader Environment
Modern software supply chains have become too distributed, complex, diverse, and rapidly changing for a patchwork of traditional security tools and manual security checks to be effective.
A new breed of security tools are needed to automatically scan and analyst the full environment, beyond narrower aspects of code scanning. They must be capable of auto-discovering all of the diverse tools, assets, pipelines and flows, and be instantly able to recognize changes and their relative impact as they occur. These new solutions should be designed to complement more traditional application security tools, just as a new generation of passenger scanners and cargo radiation detectors complemented more focused hand held metal detection wands used by security staff. These new scanning tools must also be easy to use and implement across companies large and small, across multiple industries.
(2) New Regulations and Certification Frameworks are Coming
Regulatory efforts have already started. In fact, back in 2012 the US National Strategy for Global Supply Chain Security bill was one of the first to introduce a focus on cyber supply chain security. This was followed by efforts from NIST (National Institute and Technology), ENISA (European Union Agency for Cybersecurity) and industry specific groups like the US Federal Energy Regulatory Commission (FERC). More recently, the US Executive Order 14208, Improving The Nation’s Cybersecurity explicitly calls out the need to enhance software supply chain security. Industry is also responding with their own security frameworks to secure the software supply chain, such as Supply-chain Levels for Software Artifacts (SLSA).
These frameworks will evolve into new regulatory requirements and certification approaches over time. The pace is difficult to predict, and likely will be driven by the number and severity of software supply chain attacks in the future. Forward thinking companies are not waiting for a regulatory requirement to take action. Many board members and executives are instituting change now, based on a healthy appreciation for the financial, brand, and customer abandonment risks associated with inaction.
Here at Legit Security, we are passionate about creating solutions for this next generation of software supply chain security challenges. If you’d like to engage with us further to discuss the future direction of this space, please drop us a note.