Realities About the Security of the Software Supply Chain

Supply Chain Shock: Realities About the Security of the Software Supply Chain

28 October 2021

News reports on attacks on the “supply chain” are becoming an almost every-day occurrence. First there was SolarWinds, then Kayesa, followed by countless other large and small supply chain attacks.

Global businesses, economies, and lives are intricately connected to each other through applications and the internet. When critical systems are attacked and operations are affected, the downstream problems quickly become apparent.

According to recent research, security industry experts expect supply chain attacks to increase by a factor of 4 over the course of 2021, compared to last year. The impact of supply chain attacks can be devastating, resulting in significant operational delays, reputation damage, and money loss—often in the millions of dollars.

In this blog, we’ll explore the security issues associated with the supply chain and why it is so critical for businesses to understand their role in the supply chain and what they need to do to protect themselves and their customers.

What is a Supply Chain Attack?

News sources and security professionals often toss around the term ‘supply chain attack’ to reference a multitude of different attack types. In general, a supply chain attack typically refers to a cyberattack on one business that ripples through and affects operations at any connected business.

Software Supply Chain Attack

The type of supply chain attack most frequently in the news lately is a software supply chain attack. These types of attacks relate to software connected to mission critical systems. Usually, the software comes from a third party and contains malicious or tainted code or unpatched vulnerabilities and bugs. Alternatively, a piece of hardware connected to a system—such as a router or industrial control device—may have software weaknesses that make it susceptible to attack. Any vulnerability on third-party software or hardware applications connected to a business puts that business at risk. This is how the SolarWinds attack happened, which ultimately affected 18,000 customers. The Kayesa software supply chain attack resulted in a ransomware attack that targeted 1,500 businesses.

Other Types of Supply Chain Attacks

There are two other supply chain-type attacks often referenced in the news that are worth note for clarification purposes. The first—a vendor supply chain attack—involves a cyber attack directly on a vendor that has access to customer systems and networks. The infamous 2013 Target data breach, which involved more than 100 million customers and included credit card numbers and personal customer information, was the result of stolen login credentials belonging to a refrigeration and HVAC vendor that had access to Target systems. Threat actors were able to gain access to Target systems via the vendor.

The other type of supply chain attack often referred to in the news involves cyber incidents with traditional “supply chain” businesses, such as transportation companies or manufacturers. Two classic examples include the recent Colonial Pipeline ransomware attack that temporarily shut down petroleum production and delivery and affected thousands of businesses and consumers along the East Coast of the United States and the 2017 NotPetya ransomware attack on Maersk shipping, which brought port operations and container shipping, among other things, to a halt for several days.

While all of these types of attacks cause considerable damage, the most common and dangerous type of attack to businesses is the software supply chain attack.

Why Businesses Need to Prepare for a Software Supply Chain Attack

Few, if any, businesses today rely on software applications created wholly in house. Every business connected to the internet is using some form of software created by another company. Many businesses today enhance their online operations using software add-ons created by other sources. Alternatively, businesses building software often use code created by numerous different authors to build new software. This software code is readily available in code libraries or software repositories such as GitHub.

Any software is at risk of a supply chain attack. Third-party code from libraries may contain vulnerabilities or tainted/malicious code. A server hosting software as a service (SaaS) may be compromised rendering the SaaS product and its users susceptible to attack.

Often, these types of attacks go undetected for months and can affect businesses, even when cybersecurity defenses are comprehensive and current. Sometimes the software supplier doesn’t even know they’ve been compromised until their downstream clients are attacked or begin to experience problems. Ultimately, any business using the vulnerable software is at risk—making a software supply chain attack one of the most dangerous types of cyberattacks facing businesses today.

Hidden Dangers in Web Applications

A 2020 report from Forrester Research found that web applications account for 35% of the most common attack vectors. The problems boil down to vulnerable websites tools like JavaScript, website security misconfigurations, and insecure third- and fourth-party website code that easily enable threat actors to use script attacks, SQL injections, malicious code insertions, and cross-site scripting (XSS), among other things, to steal information on users. These types of supply chain attacks can result in threats known as e-skimming (sometimes also called Magecart attacks), where a threat actor leverages vulnerabilities in web application code to steal customer information, such as name, date of birth, and credit card or banking data.

Best Practices to Help Prevent and Mitigate Software Supply Chain Attacks

Both software supplies and software end users need to make sure they’re applying industry best practices to help prevent and remediate software supply chain attacks.

Software Supplier Best Practices

  • Know your web assets and the type of data they hold.
  • Adopt automation where possible, particularly when identifying web assets
  • Use automated tools to conduct scans and monitor to identify code issues, intrusions, behavioral anomalies, and unknown threats.
  • Use tools that automate security policies on JavaScript-based applications.
  • Update and patch and software vulnerabilities regularly.
  • Make sure your infrastructure and processes to deliver software to customers follows cybersecurity best practices.

Best Practices for Businesses Using the Software Supply Chain

  • Identify and document all software suppliers and vendors that have access to your networks and systems; if possible, take time to confirm the legitimacy and safety of any software supplier’s code or web application. Also require any vendor with access to your systems and networks to maintain cybersecurity best practices.
  • Adopt automation where possible, particularly when identifying web assets.
  • Use automated tools to conduct scans and monitor to identify code issues, intrusions, behavioral anomalies, and unknown threats.
  • Use tools that automate security policies on JavaScript-based applications.
  • Define risk for each software supplier based on dependencies and points of failure.
  • Know your web assets and the type of data they hold.
  • Update and patch and software vulnerabilities regularly.

If you would like to ensure your website applications are using the latest security tools, check out our Inspector and PageGuard products. They are specifically designed to continuously scan and protect your business from attackers. And if you would like to see our products in action, please request a demo here: link.

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.