Virtualization Technology News and Information
Article
RSS
The Challenges of Software Supply Chain Attacks

By Eran Orzel, Chief Revenue and Customer Officer at Argon Security

The impact of the growth in software supply chain attacks on enterprises' cyber strategy

1. What is a software supply chain attack?

Software supply chain attacks are cyber-attacks against an organization's software supply chain infrastructure and process. In such attacks the attacker gains access to the software supply chain through a misconfiguration, vulnerability, or a manipulation against the supply chain tools or supporting services and uses it to steal data, tamper with the application or commit an unauthorized modification of software while it is being delivered. At this point, the attackers can use the company's software update as a vehicle to distribute malicious code or create back doors in its customers' environments.

The SolarWinds attack was a good example for the potential damage of software supply chain attacks. In this nation-state attack against the networking tools vendor SolarWinds, ~18,000 customers were exposed and as many as 250 organizations were attacked and affected by it. Within the attacked companies were the US government federal agencies and top enterprises such as Microsoft, FireEye and more.

2. Understanding the software supply chain risks

Over the past few years, software companies have adopted continuous integration and delivery (CI/CD) processes to automate their software supply chain, allowing them to expedite their products and feature-releases to maintain competitive advantage over their markets.

These new supply chains tools are open by design, automated, collaborative and connecting to and between many supporting systems, which creates an environment that is extremely complex and hard to secure.  "Attackers identified the software supply chain attacks as a way to impact thousands of customers through a single attack." said Eran Orzel, Chief Revenue and Customers Officer at Argon, a leading software supply chain security provider. "This new wave of supply chain attacks is extremely hard to spot, so it's no surprise that most security teams are struggling to effectively deal with this new threat to their development environments."

These types of attacks have been on the rise in the past years and are proving to be a common and reliable way to attack even the most secure software companies (SolarWinds, Codecov, Microsoft). Targeting and compromising a company that is a provider of commonly used software provides attackers with wide access to all the enterprises that use their software.

3. Software supply chain attack vectors:

All technology vendors vulnerable to supply chain attacks. Any company that produces software or hardware for other organizations is a potential target of attackers. Below are six attack vectors that can be used in software supply chain attacks

  • Bad code/file upload: Adding vulnerable packages, images, files or malicious code to your source code is a way for the attackers to gain access to your application in production.
  • Compromised source code management: Your source code is the blueprint of your application and must be secured at all times. Attackers are leveraging privilege access, misconfigurations, and vulnerabilities in the source code to access your process and code.
  • Compromised service dependencies: There are dozens of external dependencies that are connected to the pipeline in order to provide a given service or add-value, many of which don't are not secured at all. Once these services are compromised, they can be used to interfere and tamper with the pipeline process.
  • Compromised build process: Gaining access to the build process through misconfigurations or vulnerabilities in the build server, its services, or plugins can enable attackers a way to manipulate the build process and tamper with the code itself to their advantage. Such activity will be hard to identify due to the complexity of the process.
  • Compromised Package registries: By gaining access to the packages registry, the attackers can upload compromised artifacts instead of legitimate ones, causing the customers to use the compromised artifact and install their malware unknowingly.
  • Bad packages usage: Planting malicious code in popular open-source packages, container images and copies of private packages, and tricking the users or pipeline tools (one such being the artifactory) to pull them in as part of the application build process.

4. Software supply chain challenges

Software supply chain attacks grew by 4X in 2021 compared to last year, with more vulnerabilities and attacks discovered every month. According to ENISA's (the European Union Agency for Cybersecurity) mapping on emerging supply chain attacks finds 66% of attacks focus on the supplier's code and software supply chain, exploiting the trust that customers put in their suppliers to distribute their attacks or malware.

The massive effect of these attacks puts software companies on the attacker's priority list and requires them to bolster their security around their development environment to better protect their infrastructure and application. Security teams needs to acquire the relevant knowledge and the cooperation of the development teams in order to define and execute an effective software supply chain security; a security strategy and tools that can provide real prevention against supply chain attacks before it reaches their customers' environments.

This is not a simple task as it takes a dedicated security solution that is integrated as part of the software supply chain CI/CD process to achieve effective supply chain security. Without enforcing such dedicated security measures on the software supply chain, software vendors are risking losing the trust customers have in their software releases.

Argon Security is a leading provider in the space and in driving discussions around software supply chain security frameworks in response to recent supply chain attacks such as SolarWinds and Codecov. The Argon solution helps companies protect the integrity of the software development environments, eliminating the risk from misconfigurations, vulnerabilities, and preventing major-scale software supply chain cyber-attacks. The Argon solution provides companies with unified visibility, security enforcement, and code integrity across the entire CI/CD pipeline, enabling DevOps and security teams to secure their entire software delivery process from commit to release.

##

To hear more about cloud native topics, join the Cloud Native Computing Foundation and cloud native community at KubeCon+CloudNativeCon North America 2021 - October 11-15, 2021  

ABOUT THE AUTHOR

Eran Orzel, Chief Revenue and Customer Officer at Argon Security

Eran Orzel 

Eran Orzel is an experienced and innovative business leader with over 20 years of experience in cybersecurity and enterprise software leadership, spearheading sales and go-to-market roles.

Published Wednesday, September 15, 2021 7:31 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<September 2021>
SuMoTuWeThFrSa
2930311234
567891011
12131415161718
19202122232425
262728293012
3456789