The digital world is ever-increasing in complexity and interconnectedness, and that's nowhere more apparent than in software supply chains. Our ability to build upon other software components means we innovate faster and build better products and services for everyone. But our dependence on third-party software and open source increases the complexity of how we must defend digital infrastructure.
Our recent survey of cybersecurity professionals found one-third of respondents monitor less than 75% of their attack surface, and almost 20% believe that over half of their attack surface is unknown or not observable. Log4Shell, Kaseya, and SolarWinds exposed how these statistics can manifest as devastating breaches with wide-reaching consequences. Cybercriminals already know supply chains are highly vulnerable to exploitation.
Why Insecure Software Supply Chains Are Everyone's Problem
Last year, a threat actor exploited a vulnerability in Virtual System Administrator (VSA) provider Kaseya to inject REvil ransomware into code for VSA. Kaseya supported thousands of managed service providers (MSPs) and enterprises, and its breach compromised a critical network within thousands of organizations. Consequently, these organizations' internal systems were also compromised.
The ripple effect that Kaseya had on its customers can happen to any organization that uses a third-party software vendor. The European Union Agency for Cybersecurity (ENISA) analyzed 24 recent software supply chain attacks and concluded that strong security protection is no longer enough. The report found supply chain attacks increased in number and sophistication in 2020, continued in 2021, and, based on recent attacks by Lapsus$, is likely to carry over through 2022.
Similar to third-party software vendors but at an even-greater magnitude, open source code has a devastating impact on digital function if left insecure — the havoc wreaked by Log4Shell illustrates this. These consequences are partly because open source software remains foundational to nearly all modern digital infrastructure and every software supply chain. The average application uses more than 500 open source components. Yet limited resources, training, and time available for the maintainers who voluntarily support projects mean they struggle to remediate the vulnerabilities. These factors have likely contributed to high-risk open source vulnerabilities remaining in code for years.
This issue demands immediate action. That's why the National Institute of Standards and Technology (NIST) released its security guidelines in February. But why are we still so slow to try and secure the software supply chain effectively? Because it's tough to know where to start. It's challenging to keep up with security updates for your own software and new products, let alone police other vendors to ensure they match your organization's standards. To add more complexity, many of the open source components that underpin digital infrastructure lack the proper resources for project maintainers to keep these components fully secure.
So, how do we secure it? It all looks pretty daunting, but here's where you can start.
First, get your house in order and identify your attack resistance gap — the space between what organizations can defend and what they need to defend. Know your supply chain and implement strategies that set teams up for success:
- Require a software bill of materials (SBOM) and maintain an accurate inventory of your organization's software licenses to know what vendors, programs, and networks could put you at risk. Open source software components are especially challenging to document; the Linux Foundation and International Organization for Standardization (ISO) have resources to help organizations determine an approach to track and identify open source for their SBOMs.
- Get a clear understanding of how your software (current or future purchases) supports or otherwise relates to your critical processes. Knowledge of this relationship empowers security teams to make the business case for prioritizing security and better understand what elements of the business will be put at risk depending upon the vulnerable vendor or component.
- Shift ownership of software security to the earliest stages of development. Known as "shifting left," this makes developers aware of security standards, so security and development teams collaborate to build secure products and reduces the amount of patching insecure products already deployed.
Then, enforce your strategies and standards to maintain security for your organization and the collective security of the Internet:
- Evaluate every software vendor based on incident readiness and establish accountability. Including a vendor in your supply chain is an expression of trust, and you should only extend this trust when you believe that partner is worthy. Transparency across your organization and supply chain is key to excellent incident response. You can also use language from successful pre-existing programs for incident response and disclosure to inform guidelines.
- Adopt a clear integrity framework and a detailed vendor onboarding process. The framework should include documentation of how each supplier's software license supports your organization and the security tools they leverage internally.
- Develop a strategy to improve the security of open source components and contribute to their security through organizations dedicated to supporting project maintenance. Contributing to open source projects reduces the risk to your organization and everyone who uses open source code.
Most in the cybersecurity community are familiar with Murphy's Law: "Everything that can go wrong, will" — it defines the mindset of anyone working in this field. And if my experience in this industry has taught me anything, you just have to do your best to keep up with the inevitable increase in challenges, risks, and complexity of securing digital assets. Part of staying ahead of these challenges is remaining highly proactive when it comes to your security best practices, and if you haven't properly secured your software supply chain yet, you're already behind. But even if you've had a false start, the good news is that it's never too late to get back up.