With the proliferation of distributed systems, edge computing, and cloud-native technologies, software development and delivery lifecycles are becoming increasingly vulnerable to cyberattacks. Indeed, while organizations in the private and public sectors rapidly evolved their IT practices and implemented DevOps in order to meet consumer demands, security was widely addressed as an afterthought. Unfortunately, the skyrocketing number of software supply chain incidents has the government and industry struggling to find solutions to mitigate the alarming risks of supply chain attacks.
A significant step forward in the fight against rising malicious cyber campaigns that impacted the DevOps world was the U.S. Executive Order on cybersecurity issued earlier this year. The federal government’s change in approach from reactive to preventive came in the wake of the infamous SolarWinds Orion Platform incident, the DarkSide ransomware attack on Colonial Pipeline, and the Microsoft Exchange Server attack. More recent high-profile malicious cyberattacks include the T-Mobile data breach that compromised the data of the company’s current, former, and prospective customers, or the REvil ransomware attack on tech provider Kaseya that caused widespread downtime for nearly 1,500 businesses.
Similarly, the UK government issued a policy paper on cybersecurity in supply chains and managed service providers. While private sector companies have continuously made efforts to strengthen security practices throughout the software development lifecycle, the official measures are further emphasizing the criticality of the issue.
The urgency to bake security at every step of the software development lifecycle (SDLC) has reached an all-time high. The public and private sectors align in establishing DevSecOps as the way forward.
What are supply chain attacks?
Software supply chain attacks are a highly concerning malicious attack threatening software development companies, suppliers, and end-users. Cybersecurity threat actors typically hack source codes, build processes, or updates to insert malware in legitimate software that is then unknowingly distributed by trusted vendors (via the supply chain) to customers. As the compromised code makes its way—with the same trust and permissions as the legitimate software—down the supply chain, it can affect the data and systems of all users of the software.
Types of supply chain attacks
Among the various attack techniques threat actors employ, the National Institute of Standards and Technology lists the following three as the most common techniques:
- hijacking updates by infiltrating a vendor’s network during routine security or bug fix software update and either inserting malware or modifying the update to control the app’s functionality;
- hacking code-sign certificates to insert malicious code into updates using the vendor’s identity;
- compromising open-source code libraries that software developers typically utilize to obtain blocks of open-source code for specific functions to add to third-party or proprietary code.
Other types of supply chain attacks include compromising software building tools or specialized code planted in hardware or firmware components and pre-installing malware on devices. These types of cyberattacks require a long-term commitment and solid technical capabilities. Hackers infiltrate a system and gradually build the attack, which makes supply chain incidents challenging to detect.
Moreover, estimates today show that software developers write only 3% of an application or website’s codebase, while the remaining 97% represents open-source or third-party code libraries. This code may come from companies lacking strong security practices, putting the software products at great risk.
Shifting left with DevSecOps can help teams significantly reduce the risk of supply chain attacks.
Generally, threat actors bypass perimeter security measures to get initial access to a victim network and spread the compromised software to a significant number of their end-users. They act patiently and thoroughly, maintaining a light malware footprint to gain persistent access to the network. Then, attackers perform follow-on actions on selected targets by inserting additional malware. As such, software supply chain attacks can have devastating consequences on all users, from the developing company to third-party vendors to customers, both in the private and public sectors.
Keeping the supply chain secure with DevSecOps
Implementing DevSecOps allows organizations to integrate security best practices at every stage of the software supply chain lifecycle, starting as early as the product design phase to development and deployment. By shifting security left, organizations can significantly reduce security vulnerabilities and strengthen their control throughout the application lifecycle while leveraging the agility and speed of DevOps.
Organizations need to actively identify and disclose known vulnerabilities. By automating security scanning, DevSecOps provides increased visibility into code changes and potentially weak third-party code. This allows teams to mitigate the potential risks of threat actors exploiting vulnerabilities in the early stages of development.
Furthermore, DevSecOps allows teams to address vulnerabilities before they occur. With robust security practices and test tools, organizations can increase their defenses by continuously updating, patching, and removing affected code.
Due to their stealthy nature, supply chain attacks are challenging to detect and can severely compromise private and government networks or systems. Therefore, organizations need to adopt DevSecOps practices and demand that third-party software providers meet similar security requirements to enforce their cybersecurity defenses. This often means providing a software bill of materials (SBOM) listing all the software components developed by the third-party vendor.
Mitigating the risks of supply chain attacks requires a proper consideration of security, as well as continuous communication and transparency between vendors.