Nobody wants to be known as the weak link in the chain — any chain. But too many organisations are at risk of being just that in the digital supply chain because they haven’t made the cyber security of their products a priority.
The most recent evidence of that is the SolarWinds/Orion cyber attack.
SolarWinds, which provides system management tools for network and infrastructure monitoring, has an IT performance monitoring system called Orion. Hackers were able to inject malware into an Orion update, and it spread to tens of thousands of SolarWinds customers when they did what experts tell them to do — keep your software up to date.
The domino effect in supply chain security
Instead of having to hack into those individual customers, the attackers just compromised one vendor and let the supply chain take care of the rest, giving them access to the data and networks of its customers.
While the company’s original estimate of those that could have been affected by the corrupted update was around 18,000, SolarWinds CEO Sudhakar Ramakrishna more recently said on an earnings call that the estimate had dropped drastically, to about 100 private sector companies and nine federal agencies.
The federal agencies include the departments of Homeland Security, State, Justice, Commerce and Treasury, plus NASA, the FAA, National Institutes of Health and National Nuclear Security Administration.
It even affected FireEye, a company that helps organisations defend against and respond to breaches. The company announced in a Dec. 13, 2020 blog post that it had discovered the “global intrusion campaign,” allegedly by Russia, that had been going on at least since March 2020. The company also acknowledged it had been a victim itself. Indeed, if FireEye had not gone public, those other thousands of victims might still be unaware that they had been compromised.
This isn’t a new problem — security experts have been warning for years that supply chain vulnerabilities can exponentially increase the damage hackers can cause. But even with ongoing headlines confirming the validity of those warnings, there hasn’t been much substantive improvement in supply chain security over the past decade.
Senate Intelligence Committee Chairman Mark Warner (D-VA) acknowledged as much at a hearing on the SolarWinds hack in February 2021. The attack “highlighted a number of lingering issues that we’ve ignored for too long,” he said.
The good news is that improvement is possible, even without Congress getting involved. The ways to harden supply chain security are well-established. They also work, if organisations implement them.
So how to avoid being that weak link?
In today’s interconnected world, most organisations are both supply chain consumers and producers. As in, they consume materials, products, and services from various third parties like SolarWinds, and they also produce products and services for other organisations or for the public.
Supply chain security best practices for producers
The best way to start is with the fundamentals. For producers, the fundamental priority is to build security into the software that powers your products through every stage of the software development life cycle (SDLC). Those security testing measures include:
- At the start, architecture risk analysis and threat modeling can help eliminate design flaws before a team starts to build an application or any other software product.
- While software is being written and built static, dynamic, and interactive application security testing can find bugs or other defects when code is at rest, running and interacting with external input.
- Software composition analysis can help developers find and fix known vulnerabilities and potential licensing conflicts in open source software components.
- Fuzz testing can reveal how the software responds when it’s hit with malformed input.
- Penetration testing, or “red teaming,” can mimic hackers to find weaknesses that remain before software products are deployed.
Michael Fabian, principal consultant at the Synopsys Software Integrity Group, said producers should also “investigate individual codebases to ensure that no unintended functionality has been included in current builds or deployments.”
That makes sense for a couple of reasons. First, it’s impossible to secure or protect something if you don’t know you have it or what it’s made of. Also, if you’re a producer, your customers are or should be demanding this level of scrutiny from you. If you can demonstrate that you’ve already done it, you’ve probably created a long-term customer.
Then, as Fabian put it, a “risk management and framing exercise should occur in accordance with standard frameworks, outlined by international standards bodies and industry leaders.”
Those activities can include:
- Discover potentially high-risk systems with attractive functional profiles.
- Conduct vulnerability and risk management evaluations on development pipelines.
- Develop technical and organisational controls to address risk.
- Conduct an evaluation of the SDLC consistent with reducing vulnerable or compromised code.
- Conduct risk management activities on system delivery and deployment frameworks.
- Develop additional controls in response to discovered risks.
- Manage vendor risk for integrated third-party components.
Among other resources that help organisations improve their risk management is the Building Security In Maturity Model (BSIMM), an annual report that helps organisations grow and improve their software security initiatives by documenting what organisations in their industry are doing, and what works.
The authors of that report also provide the BSIMMsc (formerly called vBSIMM), focused on software supplied by third parties.
Secure your supply chain
As should be obvious, measures like these require staff and technology, which means time and money. But that investment can help an organisation avoid damages that go well beyond headaches: Brand tarnish, legal liability, loss of market share, compliance sanctions, and more.
Beyond that, any business that wants to prosper knows it has to deliver products and services that function as intended and are safe. And in an almost universally connected world, to be safe they have to be secure as well.