What is a Software Supply Chain Threat?
A software supply chain threat happens when a malicious script is inserted into a software component that is then integrated into a commercial off-the-shelf (COTS) product, open-source software, a third- or fourth-party code repository or library, or internally developed application. Inability to validate the composition and origin of open source and proprietary code creates a risk when malicious actors compromise these scripts.
A malicious script injected into these web applications, websites, or software components can lead to a far-reaching software supply chain attack because security teams may not detect or know about vulnerabilities within these smaller components. For example, a JavaScript supply chain attack can be deployed from a code library, embedding the malicious code into any applications relying on that library.
How Do Software Supply Chain Threats Work?
Software supply chain threats often start with a malicious actor who has access to the code library for the open-source or proprietary code used during development. The software supply chain attack can start with a malicious or accidental activity from an internal developer with authorized access or insertion from a malicious actor who has gained unauthorized access.
According to the Cybersecurity Infrastructure Security Agency (CISA), typically, a software supply chain attack follows these steps:
- Actor gains initial access to a code library or development environment.
- Actors can manipulate development tools, development environments, source code repository (public or private), or software update/distribution mechanism.
- Actor replaces legitimate code with malicious code, inserting targeted or untargeted malware into downloadable software or components.
- Software developers using compromised open-source code incorporate malicious script into their build processes.
- Compromised code creates a vulnerability for companies integrating the product or component into their production environments.
Who Is Targeted by Software Supply Chain Threats?
Given the nature of software supply chain threats, any organization—large or small—can be impacted. Depending on the adversaries’ intentions, some industry verticals may face a greater risk.
Business-critical industries may be targeted by nation-state actors or monetarily focused cybercriminals, including:
- Financial Services & Banking
- Healthcare & Medical
- SaaS and Technology
- Communication, Social Media, & Content Producers
- E-commerce & Retail
- Travel & Hospitality
- Media Companies
- Cryptocurrency Exchanges & Blockchain
- Manufacturing
- Critical Infrastructure, like Energy or Oil & Gas
- Distribution & Transportation
- Real Estate
- Education
- Energy
Who Is Impacted by Software Supply Chain Threats?
Problematically, the lack of transparency and traceability in the software supply chain leads to inherited risk across the business supply chain—which means any entity connected to that software or business will be affected by the supply chain attack. Software supply chain attacks increase the likelihood that a data breach will occur, impacting sensitive data like customer personally identifiable information (PII).
For example, those impacted by software supply chain risks can inherit risk through:
- The extended supplier chain
- Mid-supply chain insertion of malicious code
- Suppliers incorporating hostile content in their product or component
- Upstream intrusions lacking traceability from component to completed product
- Lack integrity within third-party components
Since most organizations purchase or develop applications, software supply chain risk security is fundamental to application security.
Types of Attacks Involving Software Supply Chain Threats
Threat actors execute software supply chain attacks at three points in the application development process.
Open-Source Code
During development, software developers often use open-source code libraries to build their application.When threat actors insert malicious code into publicly accessible code libraries, software developers who integrate compromised code blocks into their applications undermine their products.
In some cases, malicious actors use typosquatting (also sometimes called a homoglyph attack) to create malicious libraries as a way to trick developers when they search for code libraries. By changing a few letters in the library’s name, they can capitalize on misspellings. When developers use the code blocks, the malicious code’s functionality replicates the original code while compromising security, ultimately evading detection.
Updates
Software updates address bugs or security issues, usually pushed to customers via centralized servers. Threat actors can infiltrate the vendor’s network to insert malicious code into or alter the update which then impacts all customers who download and install it.
Code-Signing
When attackers undermine codesigning, they use self-signing certificates, break signing systems, or exploit misconfigured account access controls. Undermining codesigning enables them to hijack the software update by impersonating a trusted vendor and inserting malicious code into the update.
Software Supply Chain Threats—Impacts
The impact of a software supply chain attack falls into four categories.
Economic Impact
As with any attack, organizations can experience an economic impact. The impact of a software supply chain attack may include:
- Vendor no longer able to provide services
- Cost volatility
- Business interruption and operational disruptions
- Inability to locate a secure vendor
- Liquidity risk
- Decrease sales
- Stock price and market capitalization impacts
- Incident response and recovery costs
Reputation Damage
Reputation damage can go beyond simply customer frustration. Impacts of reputation damage due to software supply chain attacks and disruptions can include:
- Loss of existing customers
- Difficulty gaining new customers
- Problems with employee retention
- Challenges recruiting new talent
Legal Costs
A data breach arising from a software supply chain attack leads to legal costs that include:
- Intellectual property or licensing violation
- Lawsuits such as purchaser liability or supplier fear liability
- Reimbursement for compromised PII
- Fines from violating privacy regulations or other laws
Societal Impacts
Since nation-state actors are often involved in these attacks, governments and critical infrastructure may be targeted. These attacks can have larger impacts across society that include:
- Geopolitical uncertainty
- Sabotage or terrorism
- Critical resource price spikes
How to Defend & Protect Against Software Supply Chain Threats
Software supply chain risk management is fundamental as organizations shift security left. For developers using components without a Software Bill of Materials (SBOM) to trace and validate code, the following best practices can mitigate risk.
- Incorporating secure software development practices throughout all life cycle phases.
- Reviewing source code and compiled code for known weaknesses or vulnerabilities.
- Using automated code testing tools like Feroot Security Inspector.
- Maintaining safe code libraries by reviewing for blocklisted external libraries, regularly patching/updating current libraries, and minimizing third-party library dependencies.
- Scanning for unauthorized scripts and anomalous code behavior with automation like PageGuard.
- Use an advanced, automated Content Security Policy (CSP) tool to fine tune policies at the domain level for easy management, version control, and reporting.
- Requiring a software component inventory (SBOM).
- Testing code, especially JavaScript, copied from external libraries to reduce risk.
- Monitoring SaaS applications to detect malicious code.
- Using Subresource Integrity (SRI) automation for visibility into anomalies or changes.
- Implementing Content Security Policies (CSPs) to define website communications.
- Monitoring the attack surface for known and unknown vulnerabilities and threats.
