Best Practices for Reducing the Risk of Software Supply Chain Attacks

Recent cyberattacks such as the SolarWinds hack, along with exploits that take advantage of vulnerabilities such as Log4j, have highlighted the weaknesses inherent in the software supply chain. In light of the risk, the White House issued Executive Order (EO) 14028 on May 12, 2022, establishing new requirements for securing the software supply chain utilized by the federal government.

As directed by the EO, the National Security Agency (NSA), Cybersecurity Infrastructure Security Agency (CISA) and Office of the Director of National Intelligence (ODNI) have published guidance to help developers create more secure software. The document outlines best practices for planning, designing and maintaining software from a security perspective.

Those federal agencies aren’t alone. The National Institute of Standards and Technology (NIST), along with the Linus Foundation and OpenSSF, have also published software supply chain guidance recently. The objective of these publications is to inform software developers, suppliers and buyers of the risks of software supply chain attacks and the role each plays in preventing them.

Interested In Learning More?

What Are Software Supply Chain Attacks?

Traditionally, hackers have exploited known software vulnerabilities to gain access to networks and launch attacks. In a software supply chain attack, hackers actually inject malicious code into commercial or open source software. The software is then distributed to customers, dramatically increasing the scope of the impact. That’s what happened in the SolarWinds hack, which affected some 18,000 customers who use the company’s network and infrastructure management platform.

The attackers gained access to SolarWinds’ network to embed the malicious code before the software was distributed — one of the primary supply chain attack vectors. Hackers also exploit software design flaws, weaknesses in the build process and vulnerable third-party components such as Log4j that are incorporated into software products.

Responsibilities throughout the Supply Chain

Preventing supply chain attacks begins with software development. The federal guidance document recommends that software suppliers set policies to ensure that development processes follow industry best practices. Developers should also have a thorough understanding of security frameworks and regulatory compliance requirements.

Trust modeling can be useful for identifying points where software or supporting infrastructure might be compromised. Code should be reviewed regularly against the model, and dynamic application security testing (DAST) performed before a release is checked in. DAST can identify vulnerabilities in third-party components and the operating system as well as the source code itself. Build processes should also be automated and auditable.

Of course, development is just one aspect of the software supply chain. Software suppliers have a responsibility to protect the code pipeline, verify third-party software, secure the delivery of software releases, updates and patches, and notify customers of any vulnerabilities. Customers should define their security requirements and have well-defined processes for acceptance testing and integrity validation, and security and risk management controls across the product lifecycle.

How DeSeMa Can Help

DeSeMa provides a wide range of security services to assist organizations at every point in the software supply chain. We can help development and operations teams build out continuous integration/continuous delivery (CI/CD) pipelines, incorporating automated DAST tools that work in the background without intervention. The latest tools can identify the application’s structure and create test sets automatically.

We can also perform complete IT asset inventories and implement tools that perform continual audits. Organizations can view all production systems, operating system versions, firmware updates and security patches through a web-based portal. They’ll be able to quickly identify any systems that are affected by supply chain vulnerabilities.

According to the Anchore 2022 Software Supply Chain Security Report, 62 percent of organizations had been affected by a software supply chain attack in the preceding 12 months. DeSeMa can help organizations throughout the software supply chain implement the processes and controls recommended in government and industry guidance to reduce the risk that an attack will proliferate.