CIO priority: Software Supply chain Security

Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. The new CIO security priority: Your software supply chain | CIO

Recent cyber-attacks like SolarWinds, CodeCov, and Kaseya have brought the Software Supply chain security as important concern for enterprise. Software supply chain attack became more sophisticated by using advance technology such as RaaS (Ransomwares as Service) and APT (Advanced Persistent Threat).

What is a supply chain?

A supply chain is the combination of the ecosystem of resources needed to design, develop and deploy a product. In cybersecurity, a supply chain includes hardware and software, open-source components, cloud or local storage and build pipeline.

Modern software development has made the software supply chain more complex than it was only a few years ago. There are multiple reasons for this growing complexity:

• Product innovation - consumers today expect intuitive, feature-rich, and cutting-edge products. This puts software vendors under increased pressure to deliver more innovation, quickly and reliably. External services - to enable fast delivery, organizations are more inclined to outsource elements not core to their business by embedding external services, such as payment, navigation, speech-to-text translation providers, and others.
• Technology - technology is evolving at an unprecedented pace. New operating systems, processors, graphic chips are providing new possibilities that were unknown up until only a few years ago.
• Process - the process of building software is now based on modern methodologies and practices like agile development, CI/CD, and DevOps, which have together resulted in an accelerated pace of delivery and time to market.
• Code - the actual code used to build an application is an assembly of a much longer list of components, including custom code, open-source dependencies, build and packaging scripts, containers, and Infrastructure as Code.
• Suppliers - these ingredients originate from a more diverse and distributed list of sources. They could be privately hosted code repositories, but more often than not they come from cloud-based, even public, sources.

Software supply chain attacks

In a software supply chain attack, attackers use malicious code to compromise an “upstream” component in the chain with the end goal of compromising the target of the attack: the “downstream component”. Compromising the upstream component is not the end goal; it merely opens a window of opportunity for the attackers to compromise the target of the attack, by inserting malware or providing a backdoor for future access, for example. Source Integrity Build Integrity SCM Source Developer Distribution Package Dependency CI/CD Build Use Artifact Process Platform Any one of the links making up the software supply chain can be compromised. Indeed, there are as many possible supply chain targets as there are types of software. But current research highlights three main targets: dependencies, pipelines, and the combination of the two: pipeline dependencies.

References for further reading:

Software supply chain security solution | Snyk

Introduction - OX Security Documentation

Understanding the increase in Supply Chain Security Attacks — ENISA (europa.eu)

Arunkumar VR Priyamvadha Vembar Prakash Thangavelu Sureshkumar VS Tamilselvan Sellappan Bhuvanesh B

#DevSecOps #supplychainsecurity #CyberSecurity #bgsw #OXsecurity #snyk