Author: Sindhuja Mahendran, Senior Consultant
Modern software is a complex supply chain consisting of code, components, build, packaging scripts, etc. In fact, much of the software we write today also contains several third-party libraries.
On the other hand, despite our best efforts, software is rarely defect-free. Vulnerabilities are often introduced — intentionally or accidentally — during development or usage. These vulnerabilities remain hidden and could be exploited because subsequent acquirers or users have limited ways of even knowing that they exist.
What is a software supply chain attack?
A software supply chain attack is where an attacker interferes in the software development lifecycle and negatively impacts end customers or users. This can occur in many ways – tampering of libraries, trojanized software updates, compromise of SaaS-hosted servers, stolen code signing certificates, exploiting existing vulnerabilities, etc. Both commercial software and open source libraries are vulnerable to software supply chain attacks.
Let us look at a couple of examples. Solarwinds, a network, database and IT security management software provider was impacted when attackers gained access to the company’s infra and inserted backdoor code. Solarwinds, unwittingly, pushed the upgrade to their customers, who were governmental agencies and Fortune 500 companies. The backdoor code stayed dormant for two weeks before transferring files from the host system to an external server.
Fact is 90% of all applications contain open source libraries and 11% of them commonly contain vulnerabilities. When applications contain code you did not write, you cannot control its vulnerabilities. This is what happened with Equifax. Malicious actors gained access to an array of systems by exploiting the vulnerability in their consumer dispute portal on the Apache struts library.
While these two examples throw light on a singular vulnerability, often, the damage is caused by a series of security failures. In Equifax’s case, username/password was available in plain text, their security certificate had expired and an available patch had not been applied.
Common supply chain attacks
In our experience, the most common software supply chain attacks are as follows:
Dependency confusion: this happens when a user is tricked into installing a malicious package from the public repository instead of pulling from a private registry.
Arbitrary installation of packages: a common way this happens is through typosquatting attacks — mistakenly typing a wrong package name in the command line. Also happens when the npm (the default package manager for the JavaScript runtime environment Node.js) allows dependencies to run scripts defined in them arbitrarily.
Account takeover: attackers take over the accounts of those who maintain popular libraries and publish malicious packages.
Information exposure: in the open-source world, it becomes indispensable that developers collaborate with their peers (in public). This leads to higher chances of credentials and sensitive information being leaked.
The good news is such ‘harm’ can be prevented with simple processes and the adoption of best practices.
Mitigating software supply chain attacks
Principle of least privilege: while establishing communication between SaaS and internal systems, follow the principle of least privilege — set up only communication that is absolutely necessary.
Isolated deployment of SaaS: deploy SaaS separately from the internal network containing other systems. This way, even if your SaaS implementation is breached, your internal systems and data remain protected.
Network segmentation: properly segment networks and set appropriate firewalls. Segregate high-critical systems.
Defense in depth: often, enterprises rest after establishing security controls at the perimeter level. This isn’t enough. Set up security controls at the system and application level as well.
Vulnerability and patch management: ensure use of tools to scan for vulnerabilities, including application dependencies in serverless, container images and open-source base images. Apply patches quickly. If you have a COTS product, keep them up to date and apply patches.
Identity and access management: set a strong password. Enable multi-factor authentication and SSO integration wherever possible across your supply chain.
Information exposure: use tools like Git-Secrets and Talisman, configuring them as pre-commit hooks. Scan the repository to find secrets and remove them immediately. Be wary of browser extensions, grant only permissions that are absolutely necessary.
Threat modeling: look beyond patch management. Model the impact of a compromise, how it affects other systems, what data could be exposed etc.
Data governance: enable organizational data governance. Set principles and practices to protect data assets. Define policies for who has access to what data, encryption at rest and in transit, etc.
While it is impossible to predict and prevent every security vulnerability, it would serve well to understand that attackers look for low-hanging fruits. So, by simply making it more complex for the attacker to get what they want, you can secure your software supply chain.
For more information on this subject, here is a video of the detailed XConf talk.
XConf is Thoughtworks' annual technology event created by technologists. It is designed for technologists who care deeply about software and its impact on the world.
Thoughtworks is a global software and technology consultancy that integrates strategy, design and engineering. We are 10,000+ people strong across 48 offices in 17 countries. Over the last 25+ years, we’ve delivered extraordinary impact together with our clients by helping them solve complex business problems with technology.
Discover the stories of your interest
Disclaimer: This article has been produced on behalf of Thoughtworks by Mediawire team.
