Since the Solarwinds supply chain attack, the internet has been abuzz about topics like supply chain and supply chain security. Many in the tech community want to understand what supply chain attacks are. Those who already know this want to understand how they can be secured and managed so that something like this doesn’t happen in their systems. In this article, let’s try to touch upon all these topics.
What is a Supply Chain?
In layman’s terms, a supply chain is a chain of processes consisting of planning, producing, and delivering products (software) and services to customers. Supply chain management aims to optimize the process and resources involved in the supply chain.
How Does a Supply Chain Attack Work?
Like the classic supply chain model, the software supply chain also has a “sourcing” stage. Modern software uses the code reusability principle by integrating various 3rd party and free open source software/libraries in their application code. It is estimated that more than 90% of codebases today use open source software/projects in some form or the other.
This reliance on free open source libraries and software comes with a risk. The addition of a single unmanaged, old, or unsecure open source library can make your entire application ecosystem a potential target. It is the same with integrating a COTS (commercial off-the-shelf) software as well. Sourcing a vulnerable piece of software or library can seriously jeopardize the overall security posture of your software. Therefore, it is imperative to manage the risks involved in using open source projects in a software supply chain.
How to Manage Your Supply Chain Risks
With the rapid growth in the use of open-source projects for development activities, it is crucial to safeguard ourselves against the possibility of falling prey to such attacks. Before directly importing open source dependencies in your package manager, it is worth reviewing their associated security vulnerabilities. This can be achieved manually by analyzing all open source components for any known security vulnerabilities or can be done using automated software composition analysis solutions.
As a best practice for open-source supply chain security, the following few steps should be followed:
1. Use verified package sources only.
2. Review your open-source libraries before adding them to your codebase.
3. Discourage the use of deprecated versions of any software.
4. Avoid using very new open source libraries as security researchers probably have not yet reviewed them for underlying security risks.
5. Make use of the framework’s inbuilt safety tools like NPM AUDIT.
Let’s look at the recent incident of the Solarwinds supply chain attack to understand this better.
Solarwinds Supply Chain Attack
Solarwinds is a popular software company used for writing system management tools for IT management. One of their most popular and deployed products is a network management system called Orion Platform. Orion Platform provides various solutions like network performance monitor, server and application monitor, log analyzer, patch manager, etc. To monitor and manage these system-generated events, Orion has the capability to make configurational changes on connected devices, making it a prime target for malicious attackers. Manipulating the Orion Platform can mean manipulating connected devices.
In December 2020, attackers were able to exploit Solarwinds’ supply chain by injecting malicious code and compromising the build process of the Orion Platform release builds. Close to 18,000 organizations downloaded digitally signed release builds and, therefore, unknowingly installed the lurking malware. As a result, hackers were able to gain access to Solarwinds’ clients’ systems.
To minimize the risks inherent in software supply chains topics, it is important to incorporate security controls at each stage of the supply chain.
We discussed how using open source software or even 3rd party software without conducting security audits can leave your supply chain vulnerable to attacks. It is vital that software security testing should not be pushed to the very end of the development cycle. Instead, it should be incorporated as early as possible in the design phase of the product. We hope this article has helped you understand software supply chains and their safety.
Share This Article
Do the sharing thingy
More info about author