{"id":5266,"date":"2024-09-12T09:00:00","date_gmt":"2024-09-12T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/rising-tide-of-software-supply-chain-attacks"},"modified":"2024-09-12T09:00:00","modified_gmt":"2024-09-12T14:00:00","slug":"rising-tide-of-software-supply-chain-attacks-an-urgent-problem","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/12\/rising-tide-of-software-supply-chain-attacks-an-urgent-problem\/","title":{"rendered":"Rising Tide of Software Supply Chain Attacks: An Urgent Problem"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

In recent years, software supply chain attacks have moved from the periphery of concerns to the forefront. According to <\/span>Verizon’s “2024 Data Breach Investigations Report,”<\/a><\/span> the use of vulnerabilities to initiate breaches surged by 180% in 2023, compared to 2022. Of those breaches, 15% involved a third party or supplier, such as software supply chains, hosting partner infrastructures, or data custodians. <\/span><\/p>\n

These statistics come as no surprise, given the impact of several high-profile vulnerabilities in 2023. <\/span><\/p>\n

SolarWinds is probably the biggest known example<\/a><\/span> of a software supply chain attack to date. More than 18,000 organizations were affected, with <\/span>some reports stating the attack cost those affected 11% of their revenue, on average<\/a><\/span>.<\/span><\/p>\n

Similarly, <\/span>Okta also experienced a significant breach<\/a><\/span> where threat actors accessed private customer data through its support management system. The breach went undetected for weeks, despite security alerts.<\/span><\/p>\n

And let’s not forget the drawn-out <\/span>MOVEit Transfer tool attack<\/a><\/span>, which affected more than 620 organizations, including major entities like the BBC and British Airways. Linked to the <\/span>Cl0p ransomware group<\/a><\/span>, the attack clearly emphasized the urgency of promptly patching vulnerabilities and securing Web-facing applications. <\/span><\/p>\n

A very important detail to note is that the ramifications of software supply chain attacks could be enduring, both from a technical threat and liability perspective. In October 2023, nearly three years after the notorious SolarWinds breach, <\/span>the Securities and Exchange Commission (SEC) charged SolarWinds<\/a><\/span> with misleading investors about its cybersecurity practices and risks. This charge followed a $26 million settlement of a securities class-action lawsuit related to the breach.<\/span><\/p>\n

But to understand how these attacks occur and how they can be mitigated, it’s important to first understand what software supply chain security is.<\/span><\/p>\n

Unpacking Software Supply Chain Security<\/h2>\n

Gartner defines <\/span>software supply chain security (SSCS)<\/a><\/span> as a comprehensive framework encompassing the processes and tools necessary to curate, create, and consume software securely, thereby mitigating potential attacks on software or its use as an attack vector. This framework is structured around three core pillars:<\/span><\/p>\n

\n
    \n
  1. \n
    <\/span><\/p>\n
    \n

    Curation: <\/span><\/span>This step is all about evaluating third-party software components to assess their risks and determine if they’re suitable for use. By doing this, organizations ensure that only secure and compliant components make their way into the software supply chain.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n

  2. \n
    <\/span><\/p>\n
    \n

    Creation: <\/span><\/span>This shows the importance of secure development practices and protecting both software artifacts and the development pipeline. It involves putting security measures in place throughout the software creation process to guard against vulnerabilities and potential threats.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n

  3. \n
    <\/span><\/p>\n
    \n

    Consumption:<\/span><\/span> This stage focuses on ensuring the integrity of the software by verifying its source, authenticity, and traceability. It ensures that the software being deployed is secure and has not been tampered with or modified without authorization.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ol>\n<\/div>\n

    In simpler terms, SSCS encompasses all the software components used and built into an organization’s software, as well as the practices developers employ to write and monitor code post-deployment.<\/span><\/p>\n

    Gartner’s efforts in this area are a direct result of what it deems to be an escalating threat. In fact, it projects that the financial impact of supply chain attacks <\/span>will escalate from $40 billion in 2023 to $138 billion by 2031<\/a><\/span>.<\/span><\/p>\n

    The US government is also taking measures, mandating that its suppliers provide a software bill of materials (SBOM), underscoring the need for transparency and accountability in the software supply chain.<\/span><\/p>\n

    Building a Software Supply Chain Security Program<\/h2>\n

    Managing the risk of vulnerabilities during software development relies on two main processes: continuous code scanning throughout the software development life cycle (SDLC) and maintaining a highly automated SDLC to efficiently update, test, and deploy new software versions.<\/span><\/p>\n

    \n