Defending against the threat of software supply chain attacks

An abstract image of digital security.
(Image credit: Shutterstock)

The threat of software supply chain attacks has been well-known for years yet governments and businesses are still playing catch up. As a result of the transformation of digital life following the pandemic, cyber threats are increasing and businesses need to do more in order to protect themselves from such attacks.

One of the reasons software supply chain attacks are so potent is that they are so varied in terms of targets, methods and impacts. At a basic level, software supply chain attacks involve slipping malware or even a malicious component into a trusted piece of software or hardware. With one well-placed intrusion, attacks can ripple across a supplier’s network of customers - sometimes numbering thousands of victims.

About the author

Nick Caley is Vice President of ForgeRock for UK and Ireland.

Major attacks like SolarWinds and Keseya have exposed how much today’s organizations rely on third-party software suppliers, forcing the issue up the agenda in boardrooms and government.

But is enough being done? A 2021 survey by the UK’s Department of Culture, Media and Sport, found that only 12% of businesses have reviewed cybersecurity risks posed by suppliers. The UK government only recently launched a process looking into drawing up a set of minimum security standards for third-party suppliers involved in the government procurement process so official guidance will not be forthcoming for some time.

With attacks on the rise, protecting businesses from the scourge of software supply chain attacks is not only a business imperative: it’s crucial to help insulate the wider economy from ripple effects. So what can businesses do to prepare today?

Streamlining the software supply chain

A 2019 Gartner survey found that 60% of organizations work with more than a thousand third-party software suppliers and many expect that number to grow. Today’s digital supply chains are unprecedented in their scale and interconnectedness.

In order to minimize the risk of supply chain attacks, businesses should therefore aim to narrow their exposed perimeter, primarily by reducing the number of external suppliers they work with. As Toyota does with its hardware supply chain, focus should shift to relying on fewer suppliers with whom a relationship of deep trust and understanding is built. Working with fewer suppliers allows a business to concentrate its security and compliance efforts, and to work more proactively with trusted third-parties at all stages of the relationship.

Focus can then shift to ongoing monitoring efforts as opposed to relying on a more fixed-point-in-time approach centered on just initial due diligence or recertification down the line. Working with fewer suppliers allows supply chain security to be more regularly reviewed to adapt to incoming and evolving threats.

Securing access and entitlements within organizations

The pandemic has thrown up a host of cybersecurity challenges and organizations' legacy identity governance solutions, which manually manage user access and monitor access privileges, are straining under the pressure. This is a dangerous context into which to throw the challenge of sprawling - and therefore exposed - software supply chains, making it increasingly difficult for cybersecurity teams to ensure that the right person has the access to the right applications at the right time.

The result is that organizations are left unsure of who has access to what and, more importantly, why they have access. ForgeRock’s Consumer Identity Breach Report found that 43% of US data breaches are caused by unauthorized access.

Manually managing the end-to-end identity lifecycle and access requests across growing digital supply chains is expensive, fraught with risk, and creates extensive compliance challenges. New workers, suppliers and partners joining the growing digital supply chain ecosystem can be easily overprovisioned, creating the risk of ‘entitlement creep’. Additionally, access for those who depart the ecosystem may not be sufficiently deprovisioned. This assessment of access rights is both a dynamic and ongoing demand which if left to form filling, ticking boxes and rubber stamping has underlying risk that exposes the organization to a potential breach.

The ability to use AI to automate access approvals, recommend certification for low-risk accounts, and automate removal of unnecessary roles frees up IT, compliance and security teams to focus on high-risk requests and overprovisioning of supplier and partner access. Tackling the issue of risky access using AI-powered identity governance solutions will ultimately make it more difficult for software supply chain attacks to take place.

Implement secure-by-design software development

When it comes to the development and distribution of third-party software, knowing the right questions to ask software suppliers is crucial in ensuring that their security is of the highest standards. A demanding and inquisitive approach will not only secure a company’s own digital supply chain, it will also strengthen trust in the ecosystem as a whole, especially on the part of government officials.

Luckily, the National Institute of Standards and Technology, a globally recognized standard-setting body within the US Department of Commerce, has published a widely-recognized framework establishing common language and a set of guidance for developers, vendors and officials involved in software development, distribution and procurement.

The suggested guidance from NIST focuses on ensuring that a business's processes are prepared to perform secure software development at both an organization-level and for individual projects. It also focuses on protecting key products from tampering and unauthorized access. Also, strengthening processes to identify vulnerabilities as they arise and to prevent them occurring in future by implementing process improvements incrementally.

Implementing NIST’s guidance will allow businesses to monitor the cybersecurity of software suppliers and build trust with customers and partners across the digital supply chain.

Conclusion

With businesses set to face a fourfold increase in attacks in 2021 (according to the EU’s cybersecurity agency) it is crucial that all businesses involved in global software supply chains embrace a risk-informed approach to protect themselves and society. This can be done by streamlining their supply chains, implementing secure-by-design software development and adopting a modern, AI-powered identity governance solution. There no longer needs to be a compromise made between user productivity, experience and robust levels of security.

The recent White House meeting convened by the Biden administration for the CEOs of large American tech companies to discuss bolstering software supply chain security underscores that this will continue to be an important issue for all stakeholders for the foreseeable future. The stakes are too high to ignore.

Nick Caley

Nick Caley is the Vice President of ForgeRock for UK and Ireland. He has over 23 years of working experience and is passionate about technology.