According to a recent survey of over 1000 Chief Information Officers by identity management provider Venafi, 82% believe their organisation is vulnerable to cyberattacks that target software supply chains. Sonatype's State of the Software Supply Chain report finds that software supply chain attacks on open source increased by 650% in 2021, having already increased by 430% the year before. That is a total increase of 28 times over two years!
These numbers have implications for operational resilience programs across every sector. In this blog we cover:
- What is software supply chain?
- How big is the problem?
- Can we mitigate software supply chain attacks?
- Planning for operational resilience
- Engaging your third-party suppliers
What is software supply chain?
How big is the problem?
According to the Sonatype report, there were 457 billion Java components downloaded from the Maven Central Repository in 2021 – and 8% of these downloads had at least one known vulnerability.
These numbers emphasise the potential threat to software supply chains. While using them makes development teams more efficient, their use means that a single exploit might impact companies – and the public – across all sectors and geographies.
The SolarWinds event disclosed in December 2020 is one of the higher profile examples. Malicious code injected into the network management provider's systems was subsequently downloaded by approximately 18,000 SolarWinds customers, including government agencies and Microsoft. After downloading these updates, those customers were vulnerable to further attacks.
The Kaseya attack in July 2021 included ransom demands of $70 million to unlock encrypted files of more than 1,500 victims. The attackers exploited a zero-day vulnerability in Kaseya's remote monitoring and management software platform. That platform was used by dozens of managed security providers, who subsequently served thousands of customers downstream. In addition, Coop, a Swedish supermarket chain affected by the attack, was forced to close its stores for a full week.
Can we mitigate software supply chain attacks?
The short answer is yes. This isn't a technical cyber security blog, so we will leave the details to the experts, but we can provide some key questions you may want to ask your cyber teams:
- What practices do we have in place to secure our application source code?
- Do we use Software Composition Analysis tools to identify and mitigate vulnerabilities?
- What processes do we have in place to keep open-source packages up to date?
- What access and audit controls do we have in place to prevent unauthorized code changes?
- What assurances are in place for the above activities?
If these are not conversations your teams are already having, the explosive growth of these types of attacks may be a good reason to start.
Planning for operational resilience
While some software supply chain attacks are limited to gaining access to credentials or personal data, the closure of Coop supermarkets for a week in the Kaseya attack highlights that the potential disruption goes well beyond the risks associated with unauthorised access to data.
There is an inherent challenge in managing software supply chain attacks; it isn't just your own internally developed software. The use of third-party software also introduces risk to your organisation. It's unavoidable; it's how we do business. If affected, a third-party software supplier may voluntarily make their services unavailable while they assess the extent of the damage.
Here are some things to consider for your operational resilience program:
- Identify your important/critical business services
- Understand the resources needed to perform those services, including critical internal and third-party software
- Understand the impact on those business services if those resources are not available
- Consider scenarios that would impact on the availability of multiple resources simultaneously
- Consider scenarios that might affect your entire industry; are there resources you and your competitors share in common?
- Consider how you would respond to those scenarios; can you minimise the shock, recover quickly, and adapt?
It simply isn't possible to predict every possible variation of software supply chain attack scenarios. It reinforces that operational resilience is not only a process, but a capability that organisations must develop in order to adapt, learn and recover. It's not enough to have documented scenarios; it is management's tested capability to respond to evolving scenarios and crises that will enable resilience.
Engaging your third-party suppliers to manage software supply chain security
The concept of operational resilience includes being less susceptible to shocks in the first place. However, here is another sobering statistic: according to Venafi, 87% of CIOs believe that software engineers and developers compromise on security policies and controls in order to get new products and services to market faster. Considering that number in your own organisation may be alarming enough; now think about it for each piece of third-party software you use.
It isn't practical to audit every single practice of every single third-party provider. However, if you consider their software to be a critical resource, you may want to establish an ongoing assurance program that covers software supply chain security. You may want to involve your most critical third-party suppliers directly in your operational resilience and business continuity planning. This will give you more intimate knowledge of how they will respond to a potential threat.
What should you do next?
It's clear that software supply chain attacks are on the rise. Here is a summary checklist to help you improve your organisation's resilience:
- Review your security practices when it comes to in-house use of open-source code
- Consider incorporate assurance monitoring of the above activities as part of your enterprise risk management framework
- Ensure critical software is documented as resources in your operational resilience program
- Consider integrating software supply chain attacks into your operational resilience and business continuity scenarios
- Engage with critical third-party suppliers on their software supply chain security practices
You can find out more about what it means to be resilient and what is required to make operational resilience an integral part of your Enterprise Risk Management Framework in our Operational Resilience: Are you prepared for what’s coming on-demand webinar.