July 11, 2022
Software, once the product of developers confined to writing long lines of code for specific applications, is now an exercise of integration – an amalgamation of third-party components provided by a variety of vendors, cloud providers and open source software (OSS) groups. In fact, today, as much as 90% of code comes from such outlets, creating a software supply chain.
There are great advantages to the software supply chain, including easy access to innovative functions, faster development cycles, greater efficiencies, and lower costs. But as one might expect, with so many external touchpoints and bits and pieces of third-party software being integrated, the opportunity for flaws and mistakes to be made, backdoors to be left open, and of course unauthorized access, increases.
Indeed, 2021 was a particularly big year for software supply chain attacks, the most destructive being that of the SUNBURST malicious code compromise of SolarWinds’ Orion Platform software. The sudden scourge prompted President Biden to issue a cybersecurity executive order in May 2021, detailing guidelines for how federal departments, agencies, and contractors doing business with the government must secure their software.
Although advanced data protection and data backup solutions can help organizations recover quickly from cyberattacks like ransomware, more must be done to attack the problem at the supply chain level.
Software supply chain cyberattacks work by exploiting a software component of a built product. They are distinct from traditional perimeter-penetration hacks, like email phishing attacks, as it is much easier to compromise a library, for example, that’s bundled into a main software build. With such hacks, products can be compromised at the factory, at the software-development level, or through maintenance upgrades that have been purchased and deployed into the network. After installation, the compromised nodes survey the network, then contact the command-and-control system owned by the cybercriminals.
This lets the perpetrators know their product is online. This particular type of hack is commonly called an Advanced Persistent Threat (APT), which is a prolonged and targeted cyberattack. With APTs, an intruder gains access to a network and remains undetected, or dormant, for a period of time until the cyber criminals decide it is the right time to initiate some action. That action may be confined to a particular group or business function, or widespread across multiple systems, like a critical infrastructure grid.
Another weak link in the software supply chain can be open-source software. Often, vulnerabilities and weaknesses within open-source code can go unmitigated, given the developers’ lack of resources. The Heartbleed bug in the open-source OpenSSL cryptographic library is just one example. OpenSSL was included in thousands of software solutions but maintained by minimal part-time staff. It was difficult to correct and replace when researchers found a flaw in the OpenSSL cryptographic library. Cybercriminals clued into the flaw, scanned for this version of OpenSSL on deployed software, and exploited it where possible. There is even older open-source code in existence with vulnerabilities that have no people or resources behind them to fix/update.
There is much that can be done to thwart such attacks, from diligently monitoring known vulnerability catalogs and lists, to legislating laws to identify and prohibit new activity when it arises.
Among the many functions of the U.S. National Institute of Standards and Technology (NIST), is the monitoring and cataloging of known software vulnerabilities. For the first quarter of 2022, alone, NIST’s National Vulnerability Database lists 8,051 vulnerabilities, which is about 25 percent more than the year-ago period.
Recently, the already infamous Log4J vulnerability was discovered. According to the Cybersecurity & Infrastructure Security Agency (CISA), Log4J is a remote code execution (RCE) of the Apache Software Foundation’s Log4J library.
“Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.” – CISA
In addition to the NVD, CISA also manages an up to date catalog of known exploited vulnerabilities. Be well aware, however, that hackers, too, have access to such lists. As a result, organizations that don’t routinely scan for exposures and install the upgrades and patches should not be surprised to find themselves in the crosshairs of the next attack.
As for President Biden’s 2021 Executive Order, the directive includes a requirement for software vendors contracting with the federal government to provide a “software bill of materials” (SBOMs) for the first time. Essentially, SBOMs are written records of the “ingredients” comprising a software product, open source and proprietary code. They include anything that went into, or affects, the software code – everything from who contributed to the code, what security tools were used, and known vulnerabilities, to the types of enterprise software it will support, and more.
Technically, the SBOM is a hierarchical and machine-readable inventory of all open source and third-party components present in a codebase. But the main goal of the SBOM is to try and ensure that components (physical and/or digital) are trustworthy (uncompromised) and come from vetted suppliers.
The world is now well aware of the threat and impact of ransomware; companies are paying more attention and educating employees about precautions needed, implementing cyber security systems, encrypting data, improving backup and recovery of critical data and systems. Many are working more closely with cybersecurity advisory groups like CISA and NIST and even making greater use of insurance.
But equal vigor must be applied to the software supply chain. Data protection and resilience is key to recovering quicky from cyberattacks like ransomware. But diligence and vigilance of all aspects of software development, must also be applied. Rigorous testing through the lifecycle, robust governance and a zero-trust policy within the development processes, as well as the vigilant monitoring of external vulnerabilities, are critical steps that need to be taken to start tightening the software supply chain – and slowing down ransomware.