With the proliferation of open-source software and the increasing prevalence of supply chain attacks, companies must contemplate three essential strategies for fortifying their software security.
In the wake of last year’s alarming vulnerabilities in MOVEit and 3CX software, the cybersecurity community faces an escalating crisis of software supply chain attacks. These attacks have become a potent weapon for threat actors seeking to infiltrate and manipulate software providers’ networks to introduce malicious code. Subsequently, when compromised software is distributed to unsuspecting customers through updates or installers, it paves the way for unauthorised activities, including data theft and hijacking.
The scale of this threat is highlighted by a report from Sonatype, revealing a staggering 742% average annual increase in software supply chain attacks between 2019 and 2022. Unfortunately, experts do not anticipate this trend reversing any time soon. The severity of these breaches can be attributed to their intersection with two critical elements of the modern cyber threat landscape: increased sophistication of attacks and greater digitization, accelerated by the COVID-19 pandemic and emerging technologies.
Recent incidents like the SolarWinds compromise in 2019, the Kaseya and Log4j attacks in 2021, have showcased the far-reaching impact of supply chain attacks. SolarWinds revealed that up to 18,000 customers may have unknowingly downloaded malware, while the Kaseya ransomware attack affected 1,500 companies and demanded a $50 million ransom. The Log4j vulnerability witnessed nearly 1.3 million exploitation attempts within the first seven days, and the aftermath of such breaches can persist for years or even decades. Mitigating software supply chain attacks is complex and expensive. IBM’s Cost of a Data Breach Report 2023 disclosed that the average cost of such a compromise is $4.63 million, 8.3% higher than other data breach causes. Detection and containment of supply chain breaches take an average of 294 days, 8.9% longer than other security breaches.
The transformation of software supply chains has played a pivotal role in this landscape. Traditionally, a substantial portion of code was written from scratch, but today’s digital ecosystem relies heavily on open-source software, collaboration within software communities, and technologies like generative AI. These diverse sources collectively constitute the software supply chain, introducing new security vulnerabilities with each element. To secure their software supply chains, organizations must adopt three key strategies:
- Implement a Software Bill of Materials (SBOM) to comprehensively inventory all software components used across the supply chain, allowing rapid vulnerability remediation.
- Conduct continuous scanning for publicly disclosed cybersecurity vulnerabilities in all components, from the early stages of development to runtime.
- Enforce zero trust policies to restrict unauthorized access to resources, particularly to counter zero-day attacks that exploit unknown vulnerabilities.
The research predicts that 45% of organisations will experience software supply chain attacks by 2025, companies must take immediate steps to understand their software composition, audit their code rigorously, and embrace the principles of zero trust across their ecosystem. Failing to adopt robust strategies to document and address vulnerabilities in the supply chain can result in significant financial losses and reputational damage.