Going Beyond Secure by Demand

COMMENTARY

In late June 2017, maritime giant A.P. Møller – Maersk was hit with a devastating software infection that affected "close to a fifth of the world's shipping capacity." 

As it turned out, the attack was not targeted at Maersk, but spun out of a regional "hot war" between Ukraine and Russia that saw a malware strain named "NotPetya" delivered to customers of a Ukrainian software company, with clients in the Ukraine and the rest of the world. The attack cost the global economy a whopping $10 billion in damages — the world's most costly cyber event to date.  

Seven years later, NotPetya is considered to be one of the most significant cyberattacks of our time. But this was not just a malware attack, but a software supply chain attack that exploited a commercial software update.  

In the years since, software supply chain attacks have taken center stage, with more incidents like NotPetya arising, including supply chain attacks on SolarWinds and the voice-over-IP firm 3CX. Also, Verizon's "2024 Data Breach Investigations Report" (DBIR) found that breaches stemming from third-party software development organizations increased by 68% from 2023. 

In response, the US Cybersecurity and Infrastructure Security Agency (CISA) released Secure by Design guidance in 2023. This move signaled to software producers the need to securely design their products, track and mitigate common vulnerabilities and exposures (CVEs), implement legacy AppSec tools, and enable protocols like multifactor authentication (MFA). But it wasn't until August 2024 that CISA released new Secure by Demand guidance that approaches this problem differently by empowering enterprise buyers to demand safer commercial software products from their suppliers, period.  

Secure by Demand is a good starting point for enterprise buyers looking to raise the bar for the firms that supply them business-critical software. However, it's imperative that these businesses go one step further. Here's why. 

Software Assurance

Secure by Demand targets several areas of software assurance: secure software development, vulnerability tracking and patching, authentication and logging, and software transparency. CISA hopes that enterprise consumers will ask commercial software vendors about each of these areas during the procurement process.

While these checks target key parts of software supply chain security, CISA's guidance should include more than a list of questions — not so different from the prevailing form of third-party risk management (TPRM), which relies heavily on questionnaires. Unfortunately, such an approach falls well short of providing genuine software assurance.

Instead, questionnaires leave major gaps in assessments of third-party cyber-risk, in that enterprise consumers will ask smart questions of commercial software vendors but won't possess the appropriate capabilities to verify their answers. That lapse leaves enterprise buyers vulnerable, requiring them to blindly trust the attestations of the mission-critical software products they rely on.  

The same can be said for software bills of materials (SBOMs), which Secure by Demand also recommends to enterprise buyers. SBOMs provide transparency in that they list a piece of software's components, which can include open source, proprietary, and third-party software. However, not listed in an SBOM are the calculated risks associated with third-party and commercial software products.  

Consider this: Neither a detailed SBOM nor a completed vendor security questionnaire would have thwarted the NotPetya attack, as customers were unaware of the existence of a Russian backdoor in the offending software update. So why should enterprise consumers take comfort from SBOMs and questionnaires alone when looking to protect their organizations? 

Limited View of Supply Chain Risk

It's true: Some of the checks recommended by CISA in its Secure by Demand guide include the vetting of open source software components used in commercial software products. CISA also calls for end-user organizations to determine how software vendors find, disclose, and patch vulnerabilities in their software. However, software supply chain risks extend well beyond these checks.  

Sophisticated cybercriminal and nation-state groups today are targeting commercial software by compromising build pipelines to insert malicious code, or by uncovering and abusing secrets lurking in application code. This is evident in the fact that the most detrimental software supply chain attacks to date did not occur due to cybercriminals exploiting open source components and vulnerabilities in software. Rather, they targeted commercial software directly, as was the case with NotPetya, 3CX, and more.  

The Solution? Don't Trust — and Verify

For enterprise buyers to ensure that the commercial software they are consuming is safe, they will need to independently validate the security of their mission-critical software. Doing so will require more than just asking vendors to answer a list of questions and provide an SBOM. Proper validation requires independently testing and verifying that software is free from malicious components (open source or commercial), critical vulnerabilities, malware, tampering, suspicious behaviors, and more — before, during, or after its deployment. 

Secure by Demand offers a solid starting point for TPRM teams. But they should then take the essential step of using a mature software supply chain security solution — one that provides comprehensive and independent software analysis, to ensure they are not blindly trusting their provider's software. Such a tool should also offer an actionable software risk assessment, which serves as a TPRM team's recipe for success when protecting their organization from such incidents.  

Having this level of control and verifiable evidence will allow enterprise consumers to verify the security and integrity of the mission-critical commercial software they rely on, even in the wake of the latest software supply chain attack.