How Software Supply Chain Security Threats Have Evolved
The increase in software supply chain attacks is largely driven by the high value of sensitive data and the complexity of modern software systems, which often rely on third-party components.
Organisations face challenges in identifying breaches, assessing impacts and restoring operations after incidents, leading to significant financial and reputational consequences.
Colin Bell, Chief Technology Officer for HCL AppScan, a leading product at HCLSoftware. He has held numerous leadership positions, including managing the application security services team at IBM for ten years, where he provided services related to tooling, automation and DevSecOps.
Speaking to Procurement Magazine, Colin discussed how the threat landscape has evolved, with attackers employing sophisticated techniques to target supply chains.
What are the main issues in securing software supply chains?
Securing software supply chains is challenging due to several factors. The biggest issue is the extensive reliance on thousands of third-party components, which increases the organisation's attack surface and compounds the need for robust security management.
The reliance on these open-source and third-party libraries maintained externally can impede security assessments due to reduced visibility and disclosure.
Furthermore, the constant updates and intricate dependency relationships in modern software can complicate tracking and securing components.
Vulnerabilities in third-party components can pose significant risks to entire systems.
What do organisations need to be doing more of?
I firmly believe that organisations must increase their visibility and transparency within their software supply chains. This involves implementing enhanced security practices, automating key processes and adopting effective tools.
By mapping supply chains, managing open-source components, ensuring secure coding practices and utilising vulnerability management and automation tools, organisations can gain a clear understanding of their application security posture and proactively address potential risks.
Finally, I also think regular assessments, incident response planning and employee training are key activities that many organisations could be doing more of to help maintain a strong security posture.
How has the software supply chain security threat landscape evolved in recent years?
Attacks have become more sophisticated, leveraging legitimate tools and processes to infiltrate supply chains and targeting critical infrastructure. New attack vectors such as typosquatting, dependency confusion and malicious code injection have emerged, while threat actors have become more organised and skilled.
These trends highlight the growing need for robust security measures to protect software supply chains from the evolving threats.
How has software supply chain security evolved in recent years?
In recent years, I have seen a significant trend towards the increasing emphasis on software bills of materials (SBOMs) and their integration into development and operational workflows. This trend has been driven by several key factors. In the wake of SolarWinds and Log4j, regulatory bodies have started to mandate the use of SBOMs to ensure transparency in the software supply chain, as seen in the US
Executive Order on Improving the Nation’s Cybersecurity issued in 2021. SBOMs provide detailed information about software components, including their origin, version and known vulnerabilities, helping organisations build trust with their customers and partners.
The hope is that through SBOMs, organisations can quickly identify and mitigate risks associated with third-party components, which is crucial for addressing zero-day vulnerabilities and ensuring timely updates.
Additionally, the development of automated tools for generating and managing SBOMs, integrated with existing CI/CD pipelines, is accelerating, making it easier for developers to maintain up-to-date SBOMs without significant overhead.
Furthermore, there is a growing trend towards collaboration within the software ecosystem, with companies, open-source projects and industry groups working together to standardise SBOM formats and practices.
Why do you think software supply chain attacks are increasing?
These attacks are increasing largely due to the heightened value of sensitive data. Attackers now recognise the lucrative potential of compromising supply chains.
They have refined their techniques to include methods such as supply chain poisoning, malicious code injection and software counterfeiting. Modern software systems, with their intricate dependencies and components, have become increasingly complex, making it difficult to maintain comprehensive visibility and control over the entire supply chain.
Additionally, our reliance on third-party components to accelerate development has expanded our attack surface, making more organisations vulnerable to exploits that can propagate through multiple applications.
These factors have converged to create a perfect storm, resulting in a significant increase in both the frequency and sophistication of software supply chain attacks.
How has the increase of third-party components and open-source libraries expanded the attack surface for malicious actors?
As mentioned, the widespread use of third-party components and open-source libraries has significantly expanded the attack surface, making it a goldmine for malicious actors. While these components undoubtedly accelerate development, they also introduce vulnerabilities that are ripe for exploitation.
Complex dependency chains further complicate the issue, as a vulnerability in one component can compromise the entire system. Armed with greater information about exploitable components, malicious actors are actively targeting these dependencies, inserting harmful code or exploiting unpatched vulnerabilities.
To combat this, organisations must remain vigilant, carefully manage their use of third-party components and take proactive steps to mitigate associated risks.
What are some of the struggles that organisations face when addressing breaches and restoring normal operations following a software supply chain security incident?
From what I have seen, when organisations experience software supply chain security incidents, they face a series of complex and often overwhelming challenges.
Identifying the breach itself or its extent can be incredibly difficult due to the intricate web of third-party components and dependencies involved. Pinpointing the exact entry point and understanding the full scope of the damage requires extensive investigation, often putting security teams under significant pressure.
Once the breach is identified, assessing its impact is another major hurdle. Organisations must determine which systems and data have been compromised, the extent of the exposure and the potential for ongoing threats.
This assessment is crucial not only for immediate remediation but also for informing stakeholders and meeting legal and regulatory requirements. Failure to comply with these obligations can lead to severe financial penalties and legal consequences.
Not to be underestimated is the overall financial impact of such an incident. It can be significant, ranging from direct costs associated with the breach (such as forensic analysis, legal fees and compensations) to long-term losses due to reputational damage and customer attrition.
Thoughts on the role of AI in software supply chains?
Like all areas in IT, artificial intelligence and machine learning have the potential to play a significant role in protecting software supply chains.
AI can automate tasks like vulnerability scanning, threat detection and incident response, improving efficiency and accuracy. Additionally, AI-powered anomaly detection is helping to identify suspicious activities that might indicate a compromise.
However, attackers can also leverage AI to automate their attacks, making them more efficient and harder to detect. For example, AI can be used to generate realistic phishing emails or identify vulnerabilities in software components.
As AI technology continues to evolve, organisations must be prepared to adapt their security strategies to address these new challenges and opportunities.
What is the future of software supply chains?
I believe the future of software supply chains will continue along its current trajectory, marked by increasing complexity, greater automation and the expanding role of artificial intelligence (AI), all underpinned by a strong focus on continuous security.
As software systems grow more interconnected and reliant on third-party components, organisations will need to adopt proactive security measures to safeguard their supply chains. Automation and AI will play crucial roles in identifying and mitigating risks, while embracing security-by-design principles will be key to building secure software from the start.
Continuous security will become a cornerstone of managing software supply chains. This approach involves ongoing monitoring, assessment and remediation of security risks throughout the software development lifecycle.
By continuously evaluating their supply chains and implementing robust security measures, organisations can significantly reduce their exposure to vulnerabilities and potential attacks.
******
Make sure you check out the latest edition of Procurement Magazine and also sign up to our global conference series - Procurement & Supply Chain LIVE 2024
******
Procurement Magazine is a BizClik brand