Securing the software supply chain is a multi-dimensional challenge
What is a software supply chain attack?
A software supply chain attack is an increasingly common form of hacking where an adversary slips malicious code or malicious components into a trusted piece of software or hardware. By compromising a single supplier with one well-placed intrusion, the adversary gains access to the supplier’s network of customers and can easily impact hundreds or thousands of victims, like the SolarWinds and Kaseya breaches.
"Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology. You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor"
- Nick Weaver, Security Researcher at UC Berkeley's International Computer Science Institute
Impact of the SolarWinds and Kaseya software supply chain attacks
In July 2021, Kaseya, a company that makes network monitoring and remote management software, experienced a ransomware attack. The attackers injected malicious code into Kaseya’s software development pipeline and exploited a zero-day security vulnerability in Kaseya’s software. They were able to reach Kaseya’s customers - mostly managed service providers (MSPs) responsible for everyday IT functions for small and medium businesses - as well as their network of 1,500 SMB clients.
Similarly, in June 2020, SolarWinds, an IT monitoring and management solutions company, experienced a sophisticated supply chain attack from a simple software update that compromised its software build and code signing infrastructure. The damage to SolarWinds and its thousands of enterprise and US government agency customers is estimated to be more than $100 billion.
Why is the software supply chain difficult to manage?
Such events are a vital concern for private and public sector organizations and require that all parties ensure the highest standards of software development, reliability and security of deployed, operational software components. The implications of software supply chain attacks are well-understood, but gaining proper visibility remains a multi-dimensional challenge.
Visibility is critical to preventing sophisticated hackers from exploiting software supply chains, and the current lack thereof is why these attacks can go undetected for such long periods of time. Gaining a comprehensive view into software components, dependencies and source code is difficult. It typically requires an extensive suite of tools which can be expensive and difficult to interpret or communicate.
This visibility issue is compounded when the customer or organization does not own or have access to the software, like government agencies that rely on third-parties to develop critical applications. Previous efforts to evaluate third-party software were often ineffective, because only portions or old versions of the software were made available by the vendors, and even when scan results were shared, blind trust between the parties was still required. Gaining comprehensive visibility into the software supply chain requires an updated process to ensure that third-parties are sharing the latest and complete versions of software.
