Tuesday, August 2, 2022

Software Supply Chains and Security Challenges

 
Recently I took part in a panel discussion and the topic was securing the software supply chain. It's a hot topic in cybersecurity right now. To prepare for the panel, I decided to look at changes in software development practices over the last decade and how supply chain risks have emerged because of those changes.

Four areas of change came to mind.

1. Digital transformation

A remarkable increase in the pervasiveness of software has occurred.  It was 11 years ago that Marc Andreessen said that software is eating the world.  It's even more true now. Every company is now a software company.  Recently, my wife and I wanted to see the new Top Gun movie. We used Cinemark's mobile app to review showtimes, reserve our preferred seats, pay for the tickets, and scan a QR code upon arrival.  Before digital transformation, Cinemark just showed pictures on a screen and sold popcorn.  

2. Faster time to market

Businesses today need software and applications developed and released quickly to stay relevant and gain a competitive advantage. The need to move faster drove innovation in software development. New practices, technologies, and toolsets came onto the scene including:

  • Agile development methodologiesDevOps processes
  • Cloud, containers, and IaC
  • CI/CD tools to automate builds & deployments
  • Microservice architectures

These innovations improved time-to-market, but have also introduced complexity and new attack vectors.

3. The rise of open source software

According to Veracode's State of Software Security (SOSS) report, open source code makes up a large part of an application's codebase.  It's up around 95% for a Java-based application. This led Chris Wysopal, Veracode's CTO and co-founder, to state:

    "In many respects, development teams have shifted from writing software to assembling software."

It is the job of a package manager (e.g., Maven for Java, NuGet for .NET, npm for Node.js) to perform the nitty-gritty details of assembling software, and this includes the complex process of managing direct and transitive dependencies. Package managers generally pull from centralized, public registries where thousands of open source components are hosted and shared. This opened up novel attack vectors, like dependency confusion.

 4. Shift to microservices & APIs

The move away from large, monolithic codebases has accelerated in the last 3-4 years. With microservices, software is broken into smaller, independent parts with communication happening via APIs. This allows for more scalability, flexibility, and resilience. Your organization likely consumes the APIs of service providers and other vendors. As such, they are part of your software supply chain. Poor API security is estimated to cost businesses $75 billion annually. In fact OWASP in 2019 by published a Top 10 list dedicated to API security.

Considering these dramatic changes over the last decade or so, it becomes more clear why supply chain attacks are in the news. The bad guys are still scanning systems for open ports and probing web applications for vulnerabilities. Now they are also looking to compromise CI/CD environments, insert malicious code into open source packages, steal cloud provider access keys, hack into APIs, and exploit known vulnerabilities in 3rd-party libraries. They look for weaknesses in your software suppliers too. Any software your company develops, consumes, invokes, or leverages in any way is fair game in the mind of cyberattackers.
 
Let's look briefly at two very different software supply chain incidents.

SolarWinds 
SolarWinds is a provider of IT management & monitoring software called Orion. A sophisticated and carefully-planned attack was executed in 2020 where the automated update process for Orion was compromised. Customers who updated their Orion software inadvertently gave the attackers backdoor/shell access to their environment. Up to 18,000 organizations were victimized. SolarWinds said their "software build system" was hacked to insert malicious code.

Log4Shell
Log4Shell is a vulnerability in a Java open source library called "log4j" that was discovered in December 2021. It's been called the single, most critical vulnerability of all time. Not only is it extremely severe (CVSS score of 10.0), it's easily exploitable and very widespread. It was found that 93% of cloud enterprise environments were vulnerable. The vulnerability sat unnoticed in the log4j library since 2013. Organizations around the world were thrown into panic mode scrambling to find where the vulnerable library was being used and quickly patch.

These two incidents are radically different in nature, but both have their roots in the software supply chain. The SolarWinds attackers targeted software supplied to thousands of organizations. It appears they infiltrated the supplier's CI/CD toolset to insert their own scripts and take advantage of automated DevOps processes. On the other hand, Log4Shell was not a sophisticated nation-state hack, but vast numbers of organizations were impacted because of a reliance on open source software.

There is no one solution or tool to secure the entire software supply chain. There are some "no-brainers" available today to help, like scanning your applications to identify vulnerable open source components. I recommend Veracode's Software Composition Analysis for this. Auditing your CI/CD build systems for access control and integrity is another good step to take. Software bill of materials (SBOMs) is an initiative gaining momentum as well. It will be interesting to see how this area of cybersecurity evolves in the next few years.

(This post first published as a LinkedIn article