Commonly in cyber security-related conversations, strategic references to the edge, boundary, endpoint, cloud etc are commonplace as potential areas of vulnerability.
However, in several recent discussions on said topic, the area of “software supply chain” has cropped up regularly as a primary point of vulnerability that, all too often, companies are less aware of than they should be. A perfect example of this came in a recent catch-up session with Aqua Security, a company that started life focusing on container/Kubernetes security but has naturally expanded beyond this scope, without ever losing its original focus.
In the dev environment, there are multiple potential weak points along the chain; insecure open-source software, container image vulnerabilities, unauthorised access to code – and, let’s face it, developers are legendary for leaving “back doors” wide open. There is much talk about bringing the worlds of SecOps and DevOps closer together, partially in order to resolve this murky aforementioned landscape, and even the government has got involved in the debate: https://www.ncsc.gov.uk/collection/assess-supply-chain-cyber-security – with a process based on five practical steps and a framework aimed as guidance to preventing breaches.
But you still need to have access to the right tools to do the job. Developing that bond between the different Ops teams and the developers themselves is anything but trivial and that’s before company politics are taken into consideration. The main potential problem here – as is often the case in IT – is over-complication. Supply chains – in any form – are notoriously complex beasties to monitor and manage. Security infrastructures themselves are all too often but over-engineered, yet fragmented. Lots of tools but lots of gaps, largely through random deployment and little or no over-riding management capability. Combine the worst of those two worlds and it’s easy to see why breaches via the supply chain can – and indeed do, with many notable, high-profile examples over the past couple of years within the IT industry itself – occur.
In terms of those high-profile breach cases; often these attacks demonstrated how vulnerabilities in the third-party products and services can be exploited by the bad boys, resulting in not one business suffering, but potentially hundreds as part of that supply chain process. The primary issue is that software supply chain attacks have a huge blast radius, thereby impacting upon multiple targets simply by compromising a single, shared resource. And just in case you thought this was a relatively rare kind of attack, they grew by over 300%, year on year, between 2020 and 2021.
During the catch-up with Aqua, the company outlined three primary areas of risk for companies to relate to: vulnerable packages usage, compromised pipeline tools and code/artifacts integrity – and made it clear that companies need to understand and address these areas in order to improve their software supply chain security. What then is required in terms of a solution? Aqua cites a number of key capability requirements, in order to cover all critical software supply chain attack vectors, including universal code scanning, a next generation SBOM (Software Bill Of Materials), continuous open-source health assessments, automated pipeline security and CI/CD (Continuous Integration/Delivery) posture management.
In other words, it’s all about continuous visibility – 24×7 monitoring and assessment of every strand and element in the supply chain. And, no, it’s not trivial to manage, but it has to be done, otherwise the impacts on many businesses are at risk, not just the one business. After all, as a cyber-criminal, why focus on one company when you can breach tens or hundreds with a single attack?