CIO priority: Software Supply chain Security
OX.security

CIO priority: Software Supply chain Security

Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. The new CIO security priority: Your software supply chain | CIO

Recent cyber-attacks like SolarWinds, CodeCov, and Kaseya have brought the Software Supply chain security as important concern for enterprise. Software supply chain attack became more sophisticated by using advance technology such as RaaS (Ransomwares as Service) and APT (Advanced Persistent Threat).

No alt text provided for this image
ETL report

What is a supply chain?

A supply chain is the combination of the ecosystem of resources needed to design, develop and deploy a product. In cybersecurity, a supply chain includes hardware and software, open-source components, cloud or local storage and build pipeline.

Modern software development has made the software supply chain more complex than it was only a few years ago. There are multiple reasons for this growing complexity:

  • Product innovation - consumers today expect intuitive, feature-rich, and cutting-edge products. This puts software vendors under increased pressure to deliver more innovation, quickly and reliably. External services - to enable fast delivery, organizations are more inclined to outsource elements not core to their business by embedding external services, such as payment, navigation, speech-to-text translation providers, and others.
  • Technology - technology is evolving at an unprecedented pace. New operating systems, processors, graphic chips are providing new possibilities that were unknown up until only a few years ago.
  • Process - the process of building software is now based on modern methodologies and practices like agile development, CI/CD, and DevOps, which have together resulted in an accelerated pace of delivery and time to market.
  • Code - the actual code used to build an application is an assembly of a much longer list of components, including custom code, open-source dependencies, build and packaging scripts, containers, and Infrastructure as Code.
  • Suppliers - these ingredients originate from a more diverse and distributed list of sources. They could be privately hosted code repositories, but more often than not they come from cloud-based, even public, sources.

Software supply chain attacks

In a software supply chain attack, attackers use malicious code to compromise an “upstream” component in the chain with the end goal of compromising the target of the attack: the “downstream component”. Compromising the upstream component is not the end goal; it merely opens a window of opportunity for the attackers to compromise the target of the attack, by inserting malware or providing a backdoor for future access, for example. Source Integrity Build Integrity SCM Source Developer Distribution Package Dependency CI/CD Build Use Artifact Process Platform Any one of the links making up the software supply chain can be compromised. Indeed, there are as many possible supply chain targets as there are types of software. But current research highlights three main targets: dependencies, pipelines, and the combination of the two: pipeline dependencies.


References for further reading:

Software supply chain security solution | Snyk

Introduction - OX Security Documentation

Understanding the increase in Supply Chain Security Attacks — ENISA (europa.eu)

Arunkumar VR Priyamvadha Vembar Prakash Thangavelu Sureshkumar VS Tamilselvan Sellappan Bhuvanesh B

#DevSecOps #supplychainsecurity #CyberSecurity #bgsw #OXsecurity #snyk

Rakesh Ranjan

Gen AI Expert |AI in Cyber Security |Cloud Security | Cyber Security

1 年

Few of the readers asked about the major attacks happened on Software Supply Chain specially in last 2 years. In next article I am planning to focus more on this. Requesting you to please write your feedback and suggestions in comment and please collaborate together to make it more interactive. We all are here to learn from experience of each other. ??

回复
Rakesh Ranjan

Gen AI Expert |AI in Cyber Security |Cloud Security | Cyber Security

1 年

In this introductory post research from different sources has been used for reference. Moving forward the discussion will be narrowed down to talk about specific use case and its solution. Let us start exploring and talking about DevSecOps, Security as Code, Software Supply Chain Security.

要查看或添加评论,请登录

Rakesh Ranjan的更多文章

  • The top five challenges a semantic layer can solve

    The top five challenges a semantic layer can solve

    In recent past the term semantic layer is frequently pop-up in data-driven AI talks and articles. It has been invented…

    1 条评论
  • Holiday Reading

    Holiday Reading

  • Amazon GuardDuty : An Intelligent Threat Detection Service

    Amazon GuardDuty : An Intelligent Threat Detection Service

    October Cyber Security Awareness Month continuation to my previous post on understanding security services available on…

    2 条评论
  • Empowering with Actionable Tips and Emerging Trends

    Empowering with Actionable Tips and Emerging Trends

    I have started awareness campaign yesterday by this post Few of my friends appreciated it and suggested to consider it…

    4 条评论
  • October: Cyber Security Awareness Month

    October: Cyber Security Awareness Month

    October is being celebrated as #CyberSecurityAwareness Month. As being practitioner in the domain of #CyberSecurity and…

  • Rise in Automotive Hacking

    Rise in Automotive Hacking

    With advancement in technologies and adaption of AI introduces new challenges in cybersecurity trends as news of data…

    1 条评论
  • Software Supply Chain Security

    Software Supply Chain Security

    Enhancing software supply chain security is a priority issue for the open-source community. Recent exploitations such…

    1 条评论
  • Guide for building Effective Team

    Guide for building Effective Team

    As being software architect, my main responsibilities lie in creating technical architecture and making effective…

  • Enterprise Integration | solution approach |Mule

    Enterprise Integration | solution approach |Mule

    In modern IT landscape when the focus of #enterprisearchitect is there on #digitalbusinesstransformation, it always…

  • Architecture or Designer ?

    Architecture or Designer ?

    many a time I got this question by practitioners that how the role of software Architect #enterprisearchitecture…

社区洞察

其他会员也浏览了