Software supply chain weaknesses are increasingly putting businesses at risk

Software supply chain weaknesses are increasingly putting businesses at risk

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: A new survey from BlackBerry demonstrates how software supply chain weaknesses are increasingly putting businesses at risk. Also: Why higher education should be prioritizing CISA’s Secure by Design.?

This Week’s Top Story

Software supply chain weaknesses are increasingly putting businesses at risk

A new survey from BlackBerry asked IT decision-makers and cybersecurity leaders in the U.K. about their insights on the state of software supply chain security, specifically in the country’s public sector. The survey found that half of respondents (51%) received a notification of either an attack or a vulnerability in their software supply chain last year – showcasing that many organizations globally are still struggling to fully protect themselves against various threats to software supply chains.?

However, there was an interesting result regarding their trust in third-party vendors, with more than half of respondents (58%) believing their software supplier’s cybersecurity policies are comparable or stronger than ones they themselves have implemented. But this result begs the question: How are security leaders and their teams vetting the security of the third-party software they use??

Turns out, many of them are not. BlackBerry’s survey revealed that less than half of respondents (47%) took steps to ask their vendors for confirmation of compliance with certification and Standard Operating Procedures. In addition, just 38% asked for third-party audits, while 32% asked for evidence of internal security training. This indicates that the majority of organizations in the U.K., and likely elsewhere, are blindly trusting, but not verifying the third-party software they’re using to conduct business. And even if an organization is taking steps to verify vendors, their processes likely don’t include a comprehensive, independent risk assessment of the software itself.?

A vast majority of respondents (96%) also reported their confidence in their suppliers’ being able to spot and prevent a vulnerability within their environment. While this increased awareness and support for vulnerability mitigation is essential, it’s worth pointing out that vulnerabilities are just one of several risks posed to organizations relying on third-party software vendors. Vulnerability management alone will not thwart attacks that tamper with the software’s build environment, the exploitation of exposed software secrets, the insertion of malware into a piece of software, and more.?

This lack of verification and a narrow understanding of supply chain risk among the U.K.’s public sector will only hurt software supply chain security efforts. Not only are these attacks increasing, but their impact is worsening. BlackBerry’s survey highlights this: 42% of respondents reported that their organizations take more than a week to recover from software supply chain attacks. Respondents also found that most of the time, they suffer financial loss (71%), data loss (67%), reputational damage (67%), operational impact (50%), or intellectual property loss (38%) as a result of these attacks. (TechRadar Pro)

This Week’s Headlines

Why higher education should prioritize teaching Secure-By-Design

Chris Wysopal of Veracode makes the argument that while many companies out there are working to adopt the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Secure By Design initiative, universities are behind in educating their students on the importance of developing secure software. “Programmers entering the workforce come from schools where secure coding is barely mentioned, let alone taught—exposing a real weakness in computer science education,” Wysopal noted. Cybersecurity education within computer science programs is seen as an afterthought, with Wysopal pointing out that out of the top 24 CompSci programs nationwide, 23 of them do not require a cybersecurity course to graduate. (Forbes Tech Council)

Threat-informed defense to secure AI

Authors Tabitha Colter, Shiri Bendelac, Lily Wong, Christina Liaghati, and Keith Manville outline a new collaborative effort between MITRE ATLAS? and the Center for Threat-Informed Defense called The Secure AI research project. It’s designed to facilitate rapid communication of evolving vulnerabilities in the AI security space through effective incident sharing. This research effort will boost community knowledge of threats to AI-enabled systems in the wake of AI technology and adoption advancing exponentially across critical domains. New threat vectors and vulnerabilities are emerging every day for AI, and they require novel security procedures – making this effort paramount. (Mike Cunningham, Medium)

Congress advances bill to add AI to National Vulnerability Database

The U.S. House Science, Space and Technology committee advanced a bill that would allow the National Institute of Standards and Technology (NIST) to create a formal process for reporting security vulnerabilities in AI systems. The bill, the AI Incident Reporting and Security Enhancement Act, was introduced by a bipartisan trio of representatives from North Carolina, California, and Virginia. If approved by the full Congress and signed into law, it would give NIST the mandate to incorporate AI systems in the National Vulnerability Database (NVD). However, there are concerns surrounding the funding for this initiative, as is the case for many federal security projects. (Dark Reading)

Avoiding a geopolitical open source apocalypse

In recent years, China has increasingly become a center of gravity in the open source world. Chinese companies are also well-represented in major open source foundations such as OpenInfra and CNCF. Author Randy Bias is questioning what the future holds for open source given a growing divide between Chinese and American open source ecosystems. He notes, “Will there be an East and a West ecosystem that only touches occasionally? Or can we get past our differences for the common good?”?

Bias points out that it makes sense for Chinese companies to be more willing to use open source software developed by Chinese stakeholders, rather than ones external to the country. However, he also warns that this may cause a greater issue in that Western companies may become unwilling to adopt this same open source software developed within China. (The New Stack)

The digital heist: Strategies for remediating supply chain attacks

In a world where code is the new currency, supply chain attacks are the heist of the digital age. Recent findings reveal a chilling trend: According to the 2024 ReversingLabs State of Software Supply Chain Security report, the industry witnessed a staggering 28% year-on-year surge in attacks on open-source libraries in 2023 alone. This article explores the challenges that CISOs are currently facing in managing the threats posed by open source software use, as well as solutions they can use to ensure that their teams are using them responsibly. These include greater developer awareness, increased management of third-party software risk, and continuous monitoring of threats. (CISO, Economic Times)

Looking for more insights on software supply chain security? Head to the RL Blog.?

The Best of RL

Webinar | The 5 Misconceptions of Software Supply Chain Security

October 16 at 12 pm ET

While many organizations are evolving their strategies to combat software supply chain attacks, several misconceptions about the threat may leave them vulnerable. This webinar will expose and clarify five of the most common misunderstandings about software supply chain security, and provide actionable insights to strengthen your defenses. [Register Here]?

Blog | 5 commercial software attacks — and what you can learn from them

Don't just roll the dice with commercial software risk. Here are key lessons from recent attacks for your security team. [Read Here]?

Webinar | The Survival Guide to Managing Third-Party Software Risk

October 24 at 12 pm ET

Despite mature practices for securing internally-developed software, third-party software risk management (TPSRM) remains a nebulous function that lacks proper ownership and scalable methods. In this session, we’ll dive into the people, process and technology needed to build a scalable TPSRM program. [Register Here]

Looking for more great conversations to watch? See RL’s on-demand webinar library.?

要查看或添加评论,请登录