Ad Image

Software Supply Chain Security Is Going Mainstream in 2023. Here’s How.

Software Supply Chain Security Is Going Mainstream in 2023. Here’s How

Software Supply Chain Security Is Going Mainstream in 2023. Here’s How

As part of Solutions Review’s Contributed Content Series—a collection of articles written by industry thought leaders in maturing software categories—Tomislav Peričin, the co-founder and Chief Software Architect at ReversingLabs, outlines some of the reasons software supply chain security is going “mainstream” in 2023.  

Recent history is littered with tragedies that trace their roots to compromised or faulty supply chains. Whether it be the Tylenol tragedy in 1982, the 1986 Challenger Disaster, or the (much) more recent recall in the U.S. of over-the-counter eye drops tainted with bacteria. Software supply chain risk is an entirely different matter. The dangers posed by compromised or substandard software modules have maintained a low profile within many organizations, even as those organizations’ reliance on software and cloud-based services through so-called “digital transformation” mushroomed in the last two decades.  

However, things have changed. SolarStorm, the 2020 attack that compromised the software maker SolarWinds’ Orion software as well as other high-profile targets, led to an urgent reassessment of software supply chain risk by software development firms, their customers, as well as federal officials, and regulators. Attackers, be they cyber-criminal groups or nation-state actors, took note, as well. More than two years later, we are starting to see the byproducts of that shift in focus as software supply chain security emerges as a top area of concern and investment.  

How do we know? Here are four signs that software supply chain security is going “mainstream” in 2023:  

Software Supply Chain Attacks are Spreading 

The continuing drumbeat of supply chain attacks and compromises is the most obvious sign that focusing on software supply chain security is no distraction. 

Since the beginning of 2023, several high-profile incidents stemming from supply chain compromises have occurred. Most recently, we witnessed an attack on VOIP provider 3CX, which saw malicious code pushed to the company’s customers via a signed update for the 3CX desktop client application. Then there was the attack on CircleCI, a continuous integration platform vendor that exposed private code repositories hosted on the platform to malicious actors.  

Other incidents, like the accidental disclosure of stored secrets by the continuous integration platform TravisCI or successful red team attacks on application infrastructure used by automakers, revealed how public and private code repositories and their secrets had become stepping stones to damaging attacks on applications and data.  

Then there are the commodity attacks on open-source platforms, including npm, PyPI, and NUGet, in which malicious actors plant thousands of malicious packages, many designed to sow confusion among developers. ReversingLabs has compiled data showing a nearly 300 percent increase in supply chain attacks on platforms like npm and PyPI over the last four years. Recent events show those attacks spread to smaller, less frequented repositories like NUGet for .Net developers.   

Platform Operators Boost Supply Chain Defenses 

Threats and attacks on software supply chains are also driving investment by platform vendors in securing developers and code. Among the advances in recent months: GitHub introduced automated vulnerability scanning for code hosted on their repository. Recently, GitHub owner Microsoft integrated the OpenAi ChatGPT technology into CoPilot, a code-focused AI chatbot that can speed development and help developers accelerate growth and avoid common coding mistakes. A recently unveiled Security CoPilot will help security teams spot emerging threats by helping make sense of threat intelligence, correlate threat activity, and make decisions “at machine speed,” Microsoft said.  

Beyond that, GitHub has made its secrets scanning and detection feature available for free to public repositories hosted on the platform and strengthened account security for GitHub and npm account holders in ways that make it easier to implement two-factor authentication to protect developer accounts. By the end of 2023, GitHub will mandate two-factor authentication (2FA) for developer accounts.   

Given the deep reliance on open-source code and robust coding and code-hosting platforms, including GitHub, npm, and PyPI, the steps taken by significant platform operators in recent months will have huge impacts on developer practices and behaviors as they offer evidence that the scourge of software supply chain threats and attacks prompt actions and investments from major players.  

The Federal Government is Looking to Regulate Software Quality 

As much as the private sector drives innovation, the most salient moves to shore up the security of the software ecosystem and supply chains in recent months have come from the federal government. There, a series of orders and regulations have turned up the heat on software producers who do business with the federal government to fortify the security of developed code and the software supply chains that support it.  

First, there was the Biden Administration’s Executive Order 14028, issued in early 2021, and subsequent guidance, including the September memorandum M-22-18 and Enduring Security Framework practice guidelines issued by the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Office for the Director of National Intelligence. The federal guidance outlines specific goals and requirements for federal agencies and their software suppliers regarding software supply chain security. Those include using Software Bills of Materials (SBOMs) and adherence to NIST Special Publication 800-218 on developing a secure software development framework and subsequent NIST guidance on software supply chain security.  

Finally, the recent publication of the Biden Administration’s National Cybersecurity Strategy began to shift the focus for securing software from end-users and individuals to software publishers, putting the onus for security on prominent players, the public and private sector, rather than continuing to blame the victims for breaches and adverse events.  

Pushing software publishers to improve the security of their wares is a crucial part of all of these measures. Beyond handing down mandates, the Federal Government is taking steps to ensure those mandates turn into improved practices. For example, CISA has created a Supply Chain Risk Management Office to operationalize software supply chain best practices in federal agencies. Meanwhile, another federal department, Federal Acquisition Security Council, is developing a standard scorecard for federal agencies to assess their supply chain risk based on federal guidelines from NIST and others.   

Development Teams are Wising Up 

Finally, developers and development organizations are coping with the threats of sophisticated cyber-criminals and nation-state groups. They are bolstering their defenses and skills to counter that threat. Development teams spent years focusing on identifying and fixing software vulnerabilities to the exclusion of all else. Meanwhile, the use of open-source code and public code repositories continued to grow unchecked, with little thought given to its underlying security. 

Development organizations are becoming more aware and wary of the risks lurking in their code and broader software supply chains. Free, powerful, and ubiquitous software modules like Core-JS are suddenly viewed differently: as a cash-strapped, single-developer project runs out of a sanctioned country. Development organizations across the globe are increasingly asking not just “What is in our supply chain,” but also “Who is in our supply chain?”   

At the same time, the parade of security incidents at significant platforms, and the resulting attention they receive, is raising developer awareness of long-recognized security risks. Platforms like npm and GitHub, long promoted as safe developer playgrounds, are now viewed as more ambiguous environments in which malicious actors troll for leaked credentials and threats lurk in the form of typo-squatted or corrupted packages, which can compromise entire development environments. 

That, in turn, is shifting developer behavior towards safer practices—abandoning “hard-coded credentials” while embracing the scanning and analysis of third-party packages, compiled binaries, and more. This should pay big dividends. For example, our analysis of the 3CX revealed clear warning signs in the compromised updates the company shipped to customers. More scrutiny of software artifacts post-build will surely derail some emerging supply chain attacks. 

Improving the quality and security of the software and services upon which our economy relies is truly a “boil the ocean” undertaking. The journey to a safer, more secure, more resilient software ecosystem has to start somewhere. Looking back, we may well decide that 2023 was an inflection point in that journey, when both the government and industry became serious about improving software security when the impact of that change in mindset finally began to show. 

Download Link to ERP Buyer's Guide Download Link to MERP Buyer's Guide Download Link to DERP Buyer's Guide

Share This

Related Posts